b'                          U.S. Department of Agriculture\n                             Office of Inspector General\n\n\n\n\n                Audit Report\n\n U. S. Department of Agriculture, Office of the\n  Chief Information Officer, Fiscal Year 2010\nFederal Information Security Management Act\n\n\n\n\n                                    Audit Report 50501-02-IT\n                                             November 2010\n\x0c                          United States Department of Agriculture\n                                 Office of Inspector General\n                                   Washington, D.C. 20250\n\n\n\n\nDATE:          November 15, 2010\n\nThe Honorable Jeffrey Zients\nActing Director\nOffice of Management and Budget\nEisenhower Executive Office Building\n17th Street Pennsylvania Avenue NW\nWashington, D.C. 20503\n\nSUBJECT:       U.S. Department of Agriculture, Office of the Chief Information Officer,\n               Fiscal Year 2010 Federal Information Security Management Act Report\n               (Audit Report 50501-2-IT)\n\nThis report presents the results of our audits of the Department of Agriculture\xe2\x80\x99s (USDA) efforts\nto improve the management and security of its information technology (IT) resources. USDA\nand its agencies have taken actions to improve the security over their IT resources; however,\nadditional actions are still needed to establish an effective security program.\n\nSincerely,\n\n\n\nPhyllis K. Fong /s/\nInspector General\n\x0cTable of Contents\n\nExecutive Summary .................................................................................................1\n   Recommendations.................................................................................................6\nBackground & Objectives .......................................................................................9\n   Background ...........................................................................................................9\n   Objectives ............................................................................................................10\nScope and Methodology.........................................................................................11\nAbbreviations .........................................................................................................13\nExhibit A: Office of the Management and Budget (OMB) Reporting\nRequirements and U.S. Department of Agriculture (USDA) Office of\nInspector General (OIG) Position ........................................................................14\n\x0cU. S. Department of Agriculture, Office of the Chief Information\nOfficer, Fiscal Year 2010 Federal Information Security Management\nAct (FISMA) (Audit Report 50501-02-IT)\n\nExecutive Summary\nImprovements have been made in the Department\xe2\x80\x99s information technology (IT) security in the\nlast decade; however, many longstanding weaknesses remain. Since 2001, the Office of\nInspector General (OIG) has reported material weaknesses in the design and effectiveness of the\nDepartment\xe2\x80\x99s overall IT security program. The Department of Agriculture (USDA) is a large\nand complex organization, including 31 separate agencies and staff offices, each with its own IT\ninfrastructure. In 2009, we reported that in order to mitigate the continuing material weaknesses,\nthe Department should rethink its policy of attempting to simultaneously achieve numerous goals\nin short timeframes. We recommended that the Department and its agencies, working in\ncooperation, define and accomplish one or two critical objectives prior to proceeding to the next\nset of priorities. During fiscal year (FY) 2010, we saw some evidence of coordination; however,\nwe did not observe that the Department was making measurable progress in approaching this\nproblem collaboratively. OIG continues to consider this change in direction the best course of\naction for the Department.\n\nTo begin mitigating these weaknesses, the Department developed several plans throughout the\nyear. Once these plans become defined initiatives and are implemented, along with the required\npolicies, procedures, and a continuous monitoring component, the security posture of the\nDepartment and its agencies should improve. One of the Department\xe2\x80\x99s initiatives was the 2010\nCyber Security Summit. This successful summit provided outreach and education to USDA\nexecutives, and to program and technical staff that were in attendance.\n\nIn addition, the Department was successful in the initial deployment of a software solution that\nprovides real-time, continuous visibility and control for over 140,000 workstations and servers\non its network. When complete, this system of security tools should allow the Department to\nenforce continuous compliance, respond in real time to threats anywhere on the network, and\nstreamline multiple IT processes. In addition, the Department deployed a suite of network\nmonitoring and detection tools at fiscal year-end, which should further enhance the security of\nUSDA\xe2\x80\x99s networks. The suite is an integrated security solution, providing the foundation for\nenterprise-wide security monitoring, detection, and protection. Once these projects are\ncompletely implemented and continuous monitoring occurs, USDA\xe2\x80\x99s security posture should be\ngreatly improved. The Department is also in the pilot stages of a solution that should help to\nmitigate the significant weaknesses in identity management that agencies have reported in their\nannual self-assessments.\n\nThis report constitutes OIG\xe2\x80\x99s independent evaluation of the Department\xe2\x80\x99s IT security program\nand practices, as required by the Federal Information Security Management Act (FISMA).\nOIG\xe2\x80\x99s review is based on Office of Management and Budget (OMB)-provided questions for the\nFY 2010 FISMA review, which are designed to assess the status of the Department\xe2\x80\x99s security\nposture in FY 2010. For the FY 2010 FISMA review, OMB\xe2\x80\x99s framework requires us to audit\n\nAudit Report 50501-02-IT                                                                     1\n\x0cprocesses, policies, and procedures that had already been implemented and documented, and\nwere being monitored. While the Department\xe2\x80\x99s many planned activities may improve its\nsecurity posture in the future, the planned initiatives could not be evaluated as part of the\nFY 2010 FISMA review because they were not fully operational at the time.\n\nThe following summarizes the key matters discussed in Exhibit A of this report. Exhibit A\ncontains OIG\xe2\x80\x99s responses to the OMBs questions. The questions were defined in OMB\nMemorandum M-10-15, Fiscal Year 2010 Reporting Instructions for the Federal Information\nSecurity Management Act and Agency Privacy Management, dated April 21, 2010. The universe\nof systems and agencies reviewed varied during each audit or review reflected in this report. As\npart of FISMA, OIG reviewed systems and agencies, OIG contractors, agency annual self-\nassessments, and various OIG audits throughout the year. Since the scope of each review and\naudit differed, we could not use every review or audit to answer each question.\n\nAgency officials are responsible for ensuring all systems meet Federal and Departmental\nrequirements and documenting their agency\xe2\x80\x99s compliance in the Cyber Security Assessment and\nManagement (CSAM) system.1 The Office of the Chief Information Officer (OCIO) is\nresponsible for ensuring that the agencies are compliant with Federal and Departmental guidance\nand are reporting aggregate results during the annual FISMA reporting cycle. CSAM has a\npowerful reporting capability that can be used to generate information covering: current\nCertification and Accreditation (C&A) status, completion of security control testing and review,\nand contingency plan testing results.2 The Department has access to the same CSAM\ninformation that we evaluated during the FISMA review and should have been aware of each of\nthe weaknesses we identified. The Department should use CSAM\xe2\x80\x99s capabilities more effectively\nin performing its oversight responsibilities. We continue to find the following:\n\n    \xc2\xb7    The Department was not completing the semi-annual inventory reconciliation as required\n         by Department procedures.3 The Department was unable to provide a reconciliation of\n         inventory for FY 2010. For example, we found three systems with the status of\n         operational and FISMA reportable in FY 2009; in FY 2010 their status had changed to\n\n\n\n\n1\n  CSAM is a comprehensive system developed by the Department of Justice, which can facilitate achieving FISMA\ncompliance. CSAM provides a vehicle for the Department, agencies, system owners, and security staffs to (1)\nmanage their system inventory, interfaces, and related system security threats and risks; (2) enter system security\ndata into a single repository to ensure all system security factors are adequately addressed; (3) prepare annual system\nsecurity documents, such as security plans, risk analyses, and internal security control assessments; and (4) generate\ncustom and pre-defined system security status reports to effectively and efficiently monitor each agency\xe2\x80\x99s security\nposture and FISMA compliance. This includes agency-owned systems as well as those operated by contractors on\nthe agency\xe2\x80\x99s behalf.\n2\n  C&A is a process mandated by OMB Circular A-130, Appendix III, \xe2\x80\x9cSecurity of Federal Automated Information\nResources,\xe2\x80\x9d dated November 28, 2000. The process requires that IT system controls be documented and tested by\ntechnical personnel and given the formal authority to operate by an agency official.\n3\n  Standard Operating Procedure for Information Technology Inventory Reconciliation and Certification, dated\nApril 28, 2009. The SOP requires that the Department reconcile the CSAM inventory with the Enterprise\nArchitecture Repository (EAR) and Electronic Capital Investment Management Repository System (eCPIC) systems\ninventory semi-annually.\n\nAudit Report 50501-02-IT                                                                                         2\n\x0c         operational but not FISMA reportable. No documentation was provided justifying this\n         status change.4\n\n    \xc2\xb7    Agencies are not following National Institute of Standards and Technology (NIST) and\n         Departmental5 guidance when preparing C&A documentation. Agencies are required to\n         submit their system C&A packages and all supporting documentation to the Department\n         for an in-depth review (referred to as a concurrency review). During the concurrency\n         review, the Department ensures that the documentation prepared to support system\n         accreditation6 is complete, accurate, reliable, and that it meets all NIST and other\n         mandated documentation standards. We noted in four of the C&A concurrency reviews\n         that the Department had concurred with the agencies\xe2\x80\x99 recommendations to accredit the\n         systems, even though the agencies\xe2\x80\x99 security certification documentation did not support\n         accreditation. We determined agencies had not followed NIST guidance in all four cases.\n\n         Specifically, we found concurrency reviews were not: (1) adequately reviewing agency\n         C&A documentation; (2) denying authority to operate for systems that did not have\n         controls in place to protect the system; and (3) ensuring all documentation was accurate\n         and complete. This occurred because the Department was not adequately overseeing the\n         concurrency process. As a result, USDA cannot be assured that all system controls had\n         been documented and tested, and systems were operating at an acceptable level of risk if\n         controls were not implemented effectively.\n\n         Additionally, we found 7 of 282 systems were granted a \xe2\x80\x9cConditional\xe2\x80\x9d Authority To\n         Operate (ATO). 7 The Department grants \xe2\x80\x9cConditional\xe2\x80\x9d ATOs when the issues are\n         considered minor, do not pose unacceptable risks to the security of the system, and can be\n         resolved within a year. DM 3555-001 discusses an \xe2\x80\x9cInterim Authority to Operate\xe2\x80\x9d with a\n         maximum allowable time to correct the deficiencies of 6 months. CSAM does not\n         recognize \xe2\x80\x9cConditional\xe2\x80\x9d ATOs; therefore, ensuring risks are resolved is difficult to\n         monitor and track. As a result, the Department and agencies can not ensure their testing\n         of security controls, documenting weaknesses, and tracking the mitigation of those\n         weaknesses is complete and accurate.\n\n    \xc2\xb7    The Department has established and is maintaining a security configuration management\n         program; however, it needs to make significant improvements. Specifically, we found\n         that the Department has not established adequate procedures, made available standard\n\n4\n  There is no corresponding question in Exhibit A for this section. OMB did not ask this question, however, an\naccurate inventory is the first step in an effective security program; therefore, we reviewed OCIOs inventory\nreconciliation efforts.\n5\n  NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems, dated\nMay 2004; Departmental Manual (DM) 3555-001, Certification and Accreditation Methodology, dated October 18,\n2005.\n6\n  Security accreditation is the official management decision given by a senior agency official to authorize operation\nof an information system and to explicitly accept the risk to agency operations, agency assets, or individuals based\non the implementation of an agreed-upon set of security controls.\n7\n  Authority to operate (ATO) is the last step in the C&A process. If the C&A is adequate and meets NIST\nrequirements, and the agency determines risks are acceptable, then an ATO is granted by the Department for a\nperiod of 3 years.\n\nAudit Report 50501-02-IT                                                                                        3\n\x0c         baseline configurations for all operating systems in use, completed its hardware\n         inventory, and completely scanned its networks and corrected its vulnerabilities. For\n         example, we found 699 missing software vendor patches over 30 days old that had not\n         been applied in three agencies we reviewed. These patches had not been installed in\n         more than 27,000 machines. Furthermore, 194 of those patches had been available from\n         Microsoft since 2008.\n\n    \xc2\xb7    The Department is not following its own policy and procedures in regard to incident\n         response and reporting. Our review of 28 incidents that occurred during the year\n         disclosed that all 28 incidents were not handled in accordance with Departmental\n         procedures.8 Additionally, United States Computer Emergency Readiness Team (US-\n         CERT) has established timeframes for when the Department is required to notify them of\n         incidents.9 Testing identified 11 of 28 incidents that were not reported to US-CERT\n         within the required timeframe. One of the 11 incidents included Personally Identifiable\n         Information (PII) and was not reported to US-CERT for 38 days, rather than within 1\n         hour as required.\n\n    \xc2\xb7    Department policies and procedures met all the NIST requirements for security\n         awareness training.10 However, USDA lacks policies and procedures governing\n         specialized security training for personnel with significant information security\n         responsibilities. In addition, we found that not all personnel received the required\n         specialized security training. For example, our review identified 5 of 20 employees who\n         required specialized training but were not able to provide documented proof of training.\n\n    \xc2\xb7    The Department did not have effective policies and procedures for reporting IT security\n         deficiencies in CSAM.11 We found the Plan of Action and Milestones (POA&Ms) did\n         not include all known security weaknesses. For example, the Department requires an\n         agency to create a POA&M when an identified vulnerability cannot be remediated within\n         30 days.12 However, testing at 3 agencies found 424 vulnerabilities that were over 30\n         days old without the required POA&Ms. This occurred because the Department security\n\n\n8\n  Agriculture Security Operations Center (ASOC) Computer Incident Response Team (CIRT), Standard Operating\nProcedures for Reporting Security and Personally Identifiable Information Incidents, SOP-ASOC-001, June 9,\n2009.\n9\n  The US-CERT provides response support and defense against cyber attacks for the Federal Civil Executive Branch\n(.gov) and information sharing and collaboration with State and local government, industry, and international\npartners. US-CERT is the operational arm of the National Cyber Security Division (NCSD) at the Department of\nHomeland Security (DHS). NCSD was established by DHS to serve as the Federal Government\xe2\x80\x99s cornerstone for\ncyber security coordination and preparedness.\n10\n   DM 3545-001, Computer Security Training and Awareness, dated February 17, 2005.\n11\n   OMB Memorandum M-02-01, Guidance for Preparing and Submitting Security Plans of Action and Milestones,\ndated October 17, 2001, required each agency to submit to OMB by October 31, 2001 (with brief quarterly updates\nthereafter), \xe2\x80\x9ca plan of action with milestones\xe2\x80\x9d to address all weaknesses identified by program reviews and\nevaluations. It defines a POA&M as a tool that identifies tasks needing to be accomplished to assist agencies in\nidentifying, assessing, prioritizing, and monitoring the progress of corrective efforts for security weaknesses found\nin programs and systems. The goal of a POA&M should be to reduce the risk of the weakness identified. CSAM is\nused as the USDA POA&M repository, and to track and report to OMB progress to mitigate the weaknesses.\n12\n   DM 3530-001, Appendix A, Vulnerability Scan Procedures, July 20, 2005.\n\nAudit Report 50501-02-IT                                                                                       4\n\x0c         manual did not include a policy for establishing a POA&M13 process for reporting IT\n         security deficiencies and tracking the status of remediation efforts. Although there were\n         no formal policies, the Department had prepared a standard operating procedure (SOP)14\n         covering the POA&M Management Process. Our review of the SOP determined it was\n         written prior to the implementation of CSAM and requires updating to reflect the current\n         POA&M process. In addition, our review of POA&Ms within CSAM found that 630 of\n         3,411 had a Scheduled Completion Date of \xe2\x80\x9cto-be-determined\xe2\x80\x9d, instead of an actual date\n         that could be tracked and monitored in compliance with NIST guidance. We also noted\n         POA&Ms were not being timely remediated. We found that 533 of 1,830 POA&Ms that\n         were closed during the year were not completed by the due date.\n\n     \xc2\xb7   The Department\xe2\x80\x99s remote access program needs significant improvements. Testing\n         identified policies that did not meet NIST requirements.15 Also, the Department stated\n         that procedures are the responsibility of the agencies and; therefore, did not provide any\n         to OIG. In addition, employees did not follow the policies that did exist. For example,\n         the Department16 requires multi-factor authentication17 for all remote access. However,\n         we found six of the seven agencies reviewed had not implemented multi-factor\n         authentication.\n\n     \xc2\xb7   The Department had developed an account and identity management policy; however, it\n         was not sufficiently detailed or consistently implemented. We found that USDA\xe2\x80\x99s policy\n         did not meet NIST requirements, that the Department had not developed procedures for\n         managing accounts, and that the Department had not implemented account management\n         using the proper security. We found that four of the six agencies reviewed did not\n         properly implement USDA\xe2\x80\x99s Active Directories. For example, we found separated\n         employees with active accounts, excessively elevated account privileges granted to users,\n         and administrator accounts that did not follow the principle of granting the fewest\n         privileges users needed to perform their work. We found 12 of the 13 agencies reviewed\n         could not identify all user and non-user accounts within their Active Directory. We also\n         found that neither the Department nor three selected agencies had policy and procedures\n         for unauthenticated network devices, and that the three agencies reviewed were unable to\n         detect and properly authenticate all devices attached to their networks per NIST.18\n\n\n\n13\n   A POA&M is a tool that identifies tasks needing to be accomplished to assist agencies in identifying, assessing,\nprioritizing, and monitoring the progress of corrective efforts for security weaknesses found in programs and\nsystems. It details resources required to accomplish the elements of the plan, milestones in meeting the task, and\nscheduled completion dates for the milestones. The goal of a POA&M should be to reduce the risk of the weakness\nidentified.\n14\n   POA&M Management Process, Standard Operating Procedure, dated February 27, 2008.\n15\n   NIST SP 800-46, revision 1, Guide to Enterprise Telework and Remote Access Security, dated June 2009.\n16\n   DR 3505-003, Access Control Policy, dated August 11, 2009.\n17\n   Multi-factor authentication is a security process in which the user provides two means of identification, one of\nwhich is typically a physical token, such as a card, and the other of which is typically something memorized, such as\na security code. In this context, the two factors involved are sometimes spoken of as something you have and\nsomething you know.\n18\n   NIST SP 800-53, Recommended Security Controls for Federal Information Systems and Organizations, Rev 3,\ndated August 2009.\n\nAudit Report 50501-02-IT                                                                                       5\n\x0c       \xc2\xb7   The Department had not established a continuous monitoring program, as required by\n           NIST, though it is planning to implement one by the end of FY 2011.\n\n       \xc2\xb7   The Department had contingency plan policies that were fully developed; however, it had\n           not effectively implemented contingency procedures. We found that 2 of the 23 agency\n           systems reviewed did not have a fully developed and consistently implemented procedure\n           for contingency planning. For example, during an audit conducted this year, we\n           identified 9 of 18 visited field sites that were unable to provide backup procedures. In\n           addition to USDA not implementing effective procedures, the agencies were not testing\n           contingency plans. During FY 2010, we found that agencies did not test their\n           contingency plans for 48 of 27919 systems reviewed, as required by NIST SP 800-53.\n\n       \xc2\xb7   The Department did not have policies and procedures to oversee systems operated on the\n           agencies\xe2\x80\x99 behalf by contractors or other entities. In addition, we found the Department\n           does not have an accurate inventory of contractor systems\xe2\x80\x9412 systems were identified in\n           the FY 2009 FISMA audit as contractor systems, but they were not listed as such on the\n           inventory. During this year\xe2\x80\x99s audit, we found that 11 of those systems are still not\n           identified as contractor systems. FISMA requires agencies to maintain an inventory of\n           their information systems, which includes an identification of the interfaces between each\n           system, and all other systems or networks, including those not operated by or under the\n           control of the agency.20 We found 22 of the 31 systems that we reviewed had incorrectly\n           reported the interconnections to other systems not operated by the agency.\n\nWe received OCIO comments to this report on November 12, 2010 and have incorporated those\ncomments into this report as appropriate. For example, we have recognized OCIO initiatives in\nthe areas of planning, outreach, and security tools. OCIO disagreed with many of the findings in\nthis report; however, after further review of its response we maintain our position. For example,\nOCIO stated that NIST guidance is not required to be followed and therefore several of our\nfindings were invalid. However, OMB Memo 10-15 states that use of NIST publications is\nrequired for non-national security systems. In another example, they questioned our criteria on\nreporting to US-CERT and stated that there is no way to guarantee an absolute timeline on the\ninvestigation. However, these criteria come from US-CERT and are posted on its website, and\nare also included in the Department SOP. Finally, the OCIO stated they did not agree that they\nissued \xe2\x80\x9cConditional\xe2\x80\x9d ATOs. However, the term \xe2\x80\x9cConditional\xe2\x80\x9d ATO was derived from an\ninterview with OCIO personnel in response to OIG\xe2\x80\x99s question of why some ATOs were granted\nfor 1 year. We will follow-up with OCIO regarding each of the issues raised in their response.\n\nRecommendations\n1. Develop detailed procedures for the consistent use of CSAM. Those procedures should\nidentify exactly where documents should reside, and which documents should be uploaded into\nCSAM. In addition, procedures should specify fields in CSAM to be populated and provide\ndirections as to which data should be in the fields.\n\n19\n     Based on a CSAM report generated on October 22, 2010.\n20\n     FISMA of 2002, Title III Information Security, dated December 17, 2002.\n\nAudit Report 50501-02-IT                                                                        6\n\x0c2. Discontinue the use of \xe2\x80\x9cConditional\xe2\x80\x9d ATO\xe2\x80\x99s and follow OMB requirements.\n\n3. Ensure documented configuration management procedures are developed and consistently\nimplemented across the Department. Include baseline configurations for all approved software\nand hardware. Any changes to the baseline guides should be documented and approved.\n\n4. Ensure scanning for compliance to the baseline configurations and for vulnerabilities is\npreformed as required by NIST.\n\n5. Develop automated procedures for the timely and secure installation of software patches.\n\n6. Ensure all Departmental and agency policy and procedures adhere to NIST requirements.\n\n7. Ensure that the Department\xe2\x80\x99s training repository is completely populated to ensure all\nrequired personnel receive the required training.\n\n8. Develop POA&M policy and procedures that adhere to Federal requirements. The policy and\nprocedures should include detailed instructions for the use of CSAM, an effective closure review\nprocess, and periodic reviews of the information in CSAM.\n\n9. Develop a remote access and telework policy and procedures that fully comply with NIST.\n\n10. Complete the Departmental projects that will enforce multi-factor authentication and\nexternal media encryption.\n\n11. Develop account and identity management policy and procedures that fully comply with\nNIST. These should include, but not be limited to, Active Directory procedures based on\nMicrosoft Best Practices, periodic oversight and review of identity management within the\nDepartment, and best practices for network device authentication.\n\n12. Develop policies, procedures, strategies, and implementation plans for continuous\nmonitoring, including items such as vulnerability scanning, log monitoring, notification of\nunauthorized devices, and sensitive new accounts in accordance with NIST.\n\n13. Develop ongoing assessments of selected security controls that have been performed, based\non the approved continuous monitoring plans.\n\n14. Ensure system authorizing officials and other key system officials are provided with security\nstatus reports covering updates to security plans and security assessment reports, as well as\nPOA&M additions.\n\n15. Ensure that agencies have developed effective contingency planning policy and procedures\nin accordance with NIST. The policy and procedures should address suitable alternate\nprocessing sites, backup tape storage locations, and backup testing.\n\n16. Perform an overall business impact assessment for the Department.\n\n\nAudit Report 50501-02-IT                                                                      7\n\x0c17. Ensure that all required contingency planning documents are in CSAM and all required\nfields are properly populated. This should include recovery strategies, plans, and procedures, as\nwell as testing, training, and exercise results. Periodically review CSAM to ensure agency\ncompliance.\n\n18. Develop policy and procedures for information security oversight of systems operated on the\nagency\xe2\x80\x99s behalf. These policy and procedures should ensure that an accurate inventory of\ncontractor systems and memoranda of understanding/interconnection service agreements is\ncompleted periodically.\n\n19. Ensure contractor and non-contractor systems inventory and interfaces are accurate and\nupdates are completed at least annually.\n\n\n\n\nAudit Report 50501-02-IT                                                                     8\n\x0cBackground & Objectives\n\nBackground\nImproving the overall management and security of IT resources needs to be a top priority for\nUSDA. Technology enhances users\xe2\x80\x99 ability to share information instantaneously among\ncomputers and networks, but it also makes organizations\xe2\x80\x99 networks and IT resources vulnerable\nto malicious activity and exploitation by internal and external sources. Insiders with malicious\nintent, recreational and institutional hackers, and attacks by foreign intelligence organizations are\na few of the threats to the Department\xe2\x80\x99s critical systems and data.\n\nOn December 17, 2002, the President signed into law the e-Government Act (Public Law\n107-347), which includes Title III, \xe2\x80\x9cFederal Information Security Management Act.\xe2\x80\x9d FISMA\npermanently reauthorized the framework established by the Government Information Security\nReform Act (GISRA) of 2000, which expired in November 2002. FISMA continued the annual\nreview and reporting requirements introduced in GISRA, but it also included new provisions that\nfurther strengthened the Federal Government\xe2\x80\x99s data and information systems security, such as\nrequiring the development of minimum control standards for agencies\xe2\x80\x99 systems. NIST was\ntasked to work with agencies developing those standards as part of its statutory role in providing\ntechnical guidance to Federal agencies.\n\nFISMA supplements information security requirements established in the Computer Security Act\nof 1987, the Paperwork Reduction Act of 1995, and the Clinger-Cohen Act of 1996. FISMA\nconsolidated these separate requirements and guidance into an overall framework for managing\ninformation security. It established new annual reviews, independent evaluation, and reporting\nrequirements to ensure agencies implemented FISMA. It also established how OMB and\nCongress would oversee IT security.\n\nFISMA assigned specific responsibilities to OMB, agency heads, Chief Information Officers\n(CIO), and Inspectors General (IG). OMB is responsible for establishing and overseeing\npolicies, standards, and guidelines for information security. The responsibilities include the\nauthority to approve agencies\xe2\x80\x99 information security programs. OMB also requires the submittal\nof an annual report to Congress summarizing the results of each agency\xe2\x80\x99s evaluation of its\ninformation security programs.\n\nEach agency must establish a risk-based information security program that ensures information\nsecurity is practiced throughout the lifecycle of each agency\xe2\x80\x99s system. Specifically, the agency\xe2\x80\x99s\nCIO is required to oversee the program, which must include:\n\n   \xc2\xb7   Periodic risk assessments that consider internal and external threats to the integrity,\n       confidentiality, and availability of systems, and to data supporting critical operations and\n       assets;\n   \xc2\xb7   development and implementation of risk-based, cost-effective policies and procedures to\n       provide security protections for the agency\xe2\x80\x99s information;\n\n\n\nAudit Report 50501-02-IT                                                                        9\n\x0c   \xc2\xb7   training that covers security responsibilities for information security personnel and\n       security awareness for agency personnel;\n   \xc2\xb7   periodic management testing and evaluation of the effectiveness of security policies,\n       procedures, controls, and techniques;\n   \xc2\xb7   processes for identifying and remediating significant security deficiencies;\n   \xc2\xb7   procedures for detecting, reporting, and responding to security incidents; and\n   \xc2\xb7   annual program reviews by agency officials.\n\nIn addition to the responsibilities listed above, FISMA requires each agency to have an annual\nindependent evaluation of its information security program and practices, including control\ntesting and a compliance assessment. The evaluations are to be performed by the agency\xe2\x80\x99s IG or\nan independent evaluator, and the results of these evaluations are to be reported to OMB.\n\nObjectives\nThe objective of this audit was to evaluate the status of USDA\xe2\x80\x99s overall IT security program by\nevaluating:\n\n   \xc2\xb7   the effectiveness of the Department\xe2\x80\x99s oversight of agencies\xe2\x80\x99 CIOs, and compliance with\n       FISMA;\n   \xc2\xb7   the agencies\xe2\x80\x99 system of internal controls over IT assets:\n   \xc2\xb7   the Department\xe2\x80\x99s progress in establishing a Departmentwide security program, which\n       includes effective certifications and accreditations;\n   \xc2\xb7   the agencies\xe2\x80\x99 and Department\xe2\x80\x99s plan of action and milestones (POA&M) consolidation\n       and reporting process; and\n   \xc2\xb7   the effectiveness of controls over configuration management, incident response, IT\n       training, remote access management, identity and access management, continuous\n       monitoring, contingency planning, and contractor systems.\n\n\n\n\nAudit Report 50501-02-IT                                                                   10\n\x0cScope and Methodology\nThe scope of our review was Departmentwide and included agency IT audit work completed\nduring FY 2010. We conducted this audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objectives. We believe the evidence obtained provides a reasonable basis for\nour findings and conclusions based on our audit objectives.\n\nFieldwork for this audit was performed at USDA locations throughout the continental\nUnited States from June 2010 through October 2010. In addition, this report incorporates audits\ndone throughout the year by OIG. Testing was conducted at offices in Washington, D.C, Kansas\nCity, Missouri, and St. Louis, Missouri. Additionally, in this report, we included the results of\nIT control testing and compliance with laws and regulations performed by contract auditors at\nseven additional agencies. In total, our FY 2010 audit work covered 12 agencies and staff\noffices:\n\n   \xc2\xb7   Animal and Plant Health Inspection Service (APHIS),\n   \xc2\xb7   Agricultural Research Service (ARS),\n   \xc2\xb7   Natural Agricultural Statistics Service (NASS),\n   \xc2\xb7   Grain Inspection, Packers, and Stockyards Administration (GIPSA),\n   \xc2\xb7   Food Safety and Inspection Service (FSIS),\n   \xc2\xb7   Farm Service Agency (FSA),\n   \xc2\xb7   Food and Nutrition Service (FNS),\n   \xc2\xb7   Forest Service (FS),\n   \xc2\xb7   National Resource Conservation Service (NRCS),\n   \xc2\xb7   Office of the Chief Financial Officer (OCFO),\n   \xc2\xb7   Office of the Chief Information Officer (OCIO),\n   \xc2\xb7   Rural Development (RD), and\n   \xc2\xb7   Risk Management Agency (RMA).\n\nThese agencies and staff offices operate approximately 227 of the USDA\xe2\x80\x99s estimated 282\ngeneral support and major application systems within the Department.\n\nTo accomplish our audit objectives, we performed the following procedures:\n\n   \xc2\xb7   Consolidated the results and issues from our prior IT security audit work and the work of\n       contractors performed for USDA\xe2\x80\x99s OIG. Contractor audit work consisted primarily of\n       audit procedures found in the U.S. Government Accountability Office\xe2\x80\x99s (GAO) Financial\n       Information System Control Audit Manual;\n   \xc2\xb7   Evaluated the Department\xe2\x80\x99s progress in implementing recommendations to correct\n       material weaknesses identified in prior OIG and GAO audit reports;\n   \xc2\xb7   Gathered the necessary information to address the specific reporting requirements\n       outlined in OMB Memorandum M-10-15, Fiscal Year 2010 Reporting Instructions for\n\n\nAudit Report 50501-02-IT                                                                   11\n\x0c       the Federal Information Security Management Act and Agency Privacy Management,\n       dated April 21, 2010; and\n   \xc2\xb7   Performed detailed testing specific to FISMA requirements at selected agencies, as\n       detailed in this report.\n\nTesting results were compared against NIST controls, OMB guidance, e-Government Act\nrequirements, and Departmental policies and procedures for compliance.\n\n\n\n\nAudit Report 50501-02-IT                                                               12\n\x0cAbbreviations\nASOC                Agriculture Security Operations Center\nATO                 Authority to Operate\nBIA                 Business Impact Analysis\nC&A                 Certification and Accreditation\nCIO                 Chief Information Officer\nCIRT                Computer Incident Response Team\nCS                  Contractor Systems\nCSAM                Cyber Security Assessment and Management\nDHS                 Department of Homeland Security\nFCD1                Federal Continuity Device 1\nFDCC                Federal Desktop Core Configurations\nFIPS                Federal Information Processing Standards\nFISMA               Federal Information Security Management Act of 2002\nFY                  Fiscal Year\nHSPD                Homeland Security Presidential Directive\nISA                 Interconnection Security Agreement\nIT                  Information Technology\nMOU/A               Memorandum of Understanding/Agreement\nNCSD                National Cyber Security Division\nNIST                National Institute of Standards and Technology\nN/R                 Not Reviewed\nOCIO                Office of Chief Information Officer\nOIG                 Office of Inspector General\nOMB                 Office of the Management and Budget\nPIV                 Personal Identity Verification\nPOA&M               Plans of Actions & Milestones\nRA                  Risk Assessment\nSOP                 Standard Operating Procedure\nSP                  Special Publication\nSSP                 System Security Plans\nTBD                 To Be Determined\nTT&E                Training, Testing, and Exercises\nUS-CERT             United States \xe2\x80\x93 Computer Emergency Readiness Team\nUSDA                Department of Agriculture\n\n\n\n\nAudit Report 50501-02-IT                                                  13\n\x0cExhibit A: Office of the Management and Budget (OMB) Reporting\nRequirements and U.S. Department of Agriculture (USDA) Office of\nInspector General (OIG) Position\nOMB\xe2\x80\x99s questions are set apart by boldface in each section. OIG checks items on OMB\xe2\x80\x99s list,\nboldfacing and underlining the relevant text. We answer direct questions with True, False, or\nNot Reviewed (NR).\n\nThe universe of systems and agencies reviewed varied during each audit or review reflected in\nthis report. As part of FISMA, OIG reviewed systems and agencies, OIG contractors, agency\nannual self-assessments, and various OIG audits throughout the year. Since the scope of each\nreview and audit differed, we could not use every review or audit to answer each question.\n\nS1: Certification and Accreditation\nSection 1: Status of Certification and Accreditation (C&A) Program\n\n1. Check one:\n\n       a. The Agency has established and is maintaining a certification and accreditation\n       program that is generally consistent with NIST\'s and OMB\'s FISMA requirements.\n       Although improvement opportunities may have been identified by the OIG, the\n       program includes the following attributes:\n          1. Documented policies and procedures describing the roles and responsibilities of\n       participants in the certification and accreditation process.\n          2. Establishment of accreditation boundaries for agency information systems.\n          3. Categorizes information systems.\n          4. Applies applicable minimum baseline security controls.\n          5. Assesses risks and tailors security control baseline for each system.\n          6. Assessment of the management, operational, and technical security controls in\n       the information system.\n          7. Risks to Agency operations, assets, or individuals analyzed and documented in\n       the system security plan, risk assessment, or an equivalent document.\n          8. The accreditation official is provided (i) the security assessment report from the\n       certification agent providing the results of the independent assessment of the\n       security controls and recommendations for corrective actions; (ii) the plan of action\n       and milestones from the information system owner indicating actions taken or\n       planned to correct deficiencies in the controls and to reduce or eliminate\n       vulnerabilities in the information system; and (iii) the updated system security plan\n       with the latest copy of the risk assessment.\n\nb. The Agency has established and is maintaining a certification and accreditation\nprogram. However, the Agency needs to make significant improvements as noted below.\n\nc. The Agency has not established a certification and accreditation program.\n\n\n\nAudit Report 50501-02-IT                                                                  14\n\x0c1a. If b. checked above, check areas that need significant improvement:\n\n1a(1) Certification and accreditation policy is not fully developed. False\n\nNo exceptions noted.\n\n1a(2) Certification and accreditation procedures are not fully developed, sufficiently\ndetailed or consistently implemented. True\n\nBased on the OIG reviews performed throughout FY 2010, we found that agencies were not\nfollowing NIST and Departmental guidance when preparing C&A documentation. 21 Agencies\nare required to submit their system C&A packages and all supporting documentation to the\nDepartment for an in-depth review (referred to as a concurrency review). During the\nconcurrency review, the Department should ensure that the documentation prepared to support\nsystem accreditation is complete, accurate, reliable, and satisfies all NIST and other mandated\ndocumentation standards. 22 We evaluated four C&A concurrency reviews where the\nDepartment had concurred with the agencies\xe2\x80\x99 recommendations to accredit the system. We\nfound the agencies\xe2\x80\x99 security certification23 documentation did not support accreditation, and we\ndetermined that agencies had not followed NIST guidance in all four cases. Specifically, we\nfound concurrency reviews were not: (1) adequately reviewing agency C&A documentation;\n(2) denying authority to operate for systems that did not have controls in place to protect the\nsystem; and (3) ensuring all documentation was accurate and complete. This occurred because\nthe Department was not adequately overseeing the concurrency process. As a result, USDA\ncannot be assured that all system controls had been documented and tested, and systems were\noperating at an acceptable level of risk if controls were not implemented effectively.\n\n1a(3) Information systems are not properly categorized (FIPS 199/SP 800-60). True\n\nNIST states that the overall impact level for any given system should be based on the highest\nimpact level for the system security objectives.24 The controls which are applied to the system\nare then based upon that impact level. NIST provides recommended settings for each of these\nlevels.\n\n\n\n\n21\n   NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems, dated\nMay 2004, DM 3555-001, Certification and Accreditation Methodology, dated October 18, 2005.\n22\n   Security accreditation is the official management decision given by a senior agency official to authorize operation\nof an information system and to explicitly accept the risk to agency operations, agency assets, or individuals based\non the implementation of an agreed-upon set of security controls.\n23\n   Security certification is a comprehensive assessment of the management, operational, and technical security\ncontrols in an information system, which are made in support of security accreditation to determine the extent to\nwhich the controls are implemented correctly, operating as intended, and producing the desired outcome, with\nrespect to meeting the security requirements for the system.\n24\n   NIST SP800-60, Guide for Mapping Types of Information and Information Systems to Security Categories,\nVol. 1, dated August 2008.\n\nAudit Report 50501-02-IT                                                                                       15\n\x0cWe generated a report from Cyber Security Assessment and Management (CSAM) which\nidentified the impact level for each of the Department\xe2\x80\x99s systems.25 The report included the\nimpact levels for Confidentiality, Integrity, and Availability, which were categorized as high,\nmoderate, and low. We compared the generated report to the recommendations in NIST and\nfound 24 of 282 systems indicated a lower categorization than was recommended during the\nC&A process without adequate justification for the reduction in categorization level. NIST\nrequires that any adjustments to the recommended impact levels be documented and include\njustification for the adjustment.\n\n1a(4) Accreditation boundaries for agency information systems are not adequately defined.\nFalse\n\nNo exceptions noted.\n\n1a(5) Minimum baseline security controls are not adequately applied to information\nsystems (FIPS 200/NIST SP 800-53). True\n\nNIST recommends a set of minimum baseline security controls, based on the systems\xe2\x80\x99 overall\ncategorization.26 The lower the category, the fewer controls required. Therefore, the incorrect\ncategorizations noted in 1a(3) led to inadequate controls being implemented for those 24\nsystems. NIST SP 800-60 states that an incorrect information system impact analysis can result\nin the agency either over protecting the information system (thereby wasting valuable security\nresources), or under protecting the information system and placing important operations and\nassets at risk.\n\n1a(6) Risk assessments are not adequately conducted (NIST SP 800-30). True\n\nNIST SP 800-30 states that risk assessments are the first step in the risk management\nmethodology. The risk assessments determine the likelihood of a future adverse event. Threats\nto an IT system must be analyzed in conjunction with the potential vulnerabilities and the\nimplemented controls for the IT system.27 We found 12 of the 30 risk assessments (RA)\nreviewed were inadequately conducted. For example, all four RAs reviewed during this audit\nwere not updated, based on testing done during the C&A process. Additionally, one of these\nRAs referred to a system which had nothing to do with the system being reviewed.\n\n\n\n25\n   CSAM is a comprehensive system developed by the Department of Justice, which can facilitate achieving Federal\nInformation Security Management Act (FISMA) compliance. CSAM provides a vehicle for the Department,\nagencies, system owners, and security staffs to (1) manage their system inventory, interfaces, and related system\nsecurity threats and risks; (2) enter system security data into a single repository to ensure all system security factors\nare adequately addressed; (3) prepare annual system security documents, such as security plans, risk analyses, and\ninternal security control assessments; and (4) generate custom and pre-defined system security status reports to\neffectively and efficiently monitor each agency\xe2\x80\x99s security posture and FISMA compliance. This includes agency-\nowned systems or those operated by contractors on the agency\xe2\x80\x99s behalf.\n26\n   NIST SP800-53, Recommended Security Controls for Federal Information Systems and Organizations, Rev 3,\ndated August 2009.\n27\n   NIST SP800-30, Risk Management Guide for Information Technology Systems, dated July 2002.\n\nAudit Report 50501-02-IT                                                                                          16\n\x0c1a(7) Security control baselines are not adequately tailored to individual information\nsystems (NIST SP 800-30). True\n\nNIST SP 800-53 recommends a set of minimum baseline security controls, based on the overall\ncategorization of the system. The lower the category, the fewer controls are required. Therefore,\nthe incorrect categorizations noted in 1a(3) led to inadequate controls being implemented for\nthose 24 systems. NIST SP 800-60 states that an incorrect information system impact analysis\ncan result in the agency either overprotecting the information system (thereby wasting valuable\nsecurity resources), or under protecting the information system and placing important operations\nand assets at risk. In addition, we found that documentation for all four of the systems evaluated\nduring our concurrency review process did not define how the agencies\xe2\x80\x99 systems had actually\nimplemented the controls. In some instances the controls were taken verbatim from NIST\ndocumentation and did not specify how the controls were implemented in the system.\n\n1a(8) Security plans do not adequately identify security requirements (NIST SP 800-18).\nTrue\n\nNIST requires Federal agencies to adopt a minimum set of security controls to protect their\ninformation and information systems.28 Federal agencies must meet the minimum security\nrequirements defined in Federal Information Processing Standards (FIPS) 200 through the use of\nthe security controls in NIST SP 800-53. However, we found 12 of the 30 System Security\nPlans (SSP) reviewed by OIG or outside contractors were inadequate. 29 Our review of the SSPs\nfound the security controls did not include sufficiently detailed descriptions of how the controls\nwere implemented. For example, if a specific control was not implemented, we found that there\nwas no justification as to what would compensate for the control. Also, we found SSPs had\ncontrols listed as \xe2\x80\x9cplanned,\xe2\x80\x9d but did not state when the implementation would occur or if any\ncompensating controls existed in the interim.\n\n1a(9) Inadequate process to assess security control effectiveness (NIST SP 800-53A). True\n\nNIST SP 800-53 requires security controls to be assessed and documented using appropriate\nassessment procedures to determine the extent to which the controls are implemented correctly,\noperating as intended, and producing the desired outcome, with respect to meeting the security\nrequirements for the system. Organizations conduct assessments for the security controls in the\nsystem to determine the extent to which the controls are implemented correctly, operating as\nintended, and producing the desired outcomes, with respect to meeting the security requirement\nfor the system. Agency self-assessments completed throughout the year identified 37 controls\nthat were inadequately designed and implemented within 12 systems. Also, the SSP for all\nfour of the systems reviewed during the evaluation of the concurrency reviews, did not include\nsufficient documentation stated in the SSP for the controls tested. For example, one SSP\n\n28\n   NIST SP 800-18, Guide for Developing Security Plans for Federal Information Systems, Rev 1, dated\nFebruary 2006.\n29\n   The SSP is a required C&A document that provides an overview of the security requirements of the system and\ndescribes the controls in place (or planned) for meeting those requirements. The SSP also delineates responsibilities\nand expected behavior of all individuals who access the system. NIST SP 800-18, Guide for Developing Security\nPlans for Federal Information Systems, dated February 2006.\n\nAudit Report 50501-02-IT                                                                                      17\n\x0cincluded a statement in the boundaries section that said "not sure where the four systems come\nfrom,\xe2\x80\x9d while others referenced data from the Departmental template, instead of the actual\ninformation on the system. In addition, we found 68 systems did not have their security controls\ntested and reviewed in the past year.\n\n1a(10) Inadequate process to determine risk to agency operations, agency assets, or\nindividuals, or to authorize information systems to operate (NIST SP 800-37). True\n\nNIST states the explicit acceptance of risk is the responsibility of the authorizing official and\ncannot be delegated to other officials within the organization. The authorization decision\ndocument conveys the final security authorization decision from the authorizing official to the\ninformation system owner or common control provider, and other organizational officials, as\nappropriate. 30 We found 12 of 30 systems reviewed by OIG or outside contractors were granted\nan Authority to Operate (ATO), even though they did not have an adequate process in place to\ndetermine risk to agency operations, agency assets, or individuals, or to authorize information\nsystems to operate.31 The C&A documents were the basis for this decision and, as noted in the\nquestions above, C&A documents were missing, inaccurate, or incomplete. In addition, we\nfound 13 of the 282 systems had an expired ATO.\n\n1a(11) Inadequate process to continuously track changes to information systems that may\nnecessitate reassessment of control effectiveness (NIST SP 800-37). True\n\nNIST SP 800-37 states that Federal organizations must provide an effective method of tracking\nchanges to information over time through strict configuration management and control\nprocedures (including version control) in order to: (1) achieve transparency in the information\nsecurity activities of the organization; (2) obtain individual accountability for security-related\nactions; and (3) better understand emerging trends in the organization\xe2\x80\x99s information security\nprogram. Audit work performed throughout the year by OIG and outside contractors found 8 of\nthe 26 systems reviewed did not have a process to continuously track changes to information\nsystems.\n\nS2: Configuration Management\nSection 2: Status of Security Configuration Management\n\n2. Check one:\n\na. The Agency has established and is maintaining a security configuration management\nprogram that is generally consistent with NIST\'s and OMB\'s FISMA requirements.\nAlthough improvement opportunities may have been identified by the OIG, the program\nincludes the following attributes:\n\n\n30\n   NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems, Rev 1,\ndated February 2010.\n31\n   Authority to operate (ATO) is the last step in the C&A process. If the C&A is adequate and meets NIST\nrequirements, and the agency determines risks are acceptable, then an ATO is granted by the Department for a\nperiod of 3 years.\n\nAudit Report 50501-02-IT                                                                               18\n\x0c       1. Documented policies and procedures for configuration management.\n       2. Standard baseline configurations.\n       3. Scanning for compliance and vulnerabilities with baseline configurations.\n       4. FDCC baseline settings fully implemented and/or any deviations from FDCC\n       baseline settings fully documented.\n       5. Documented proposed or actual changes to the configuration settings.\n       6. Process for the timely and secure installation of software patches.\n\nb. The Agency has established and is maintaining a security configuration management\nprogram. However, the Agency needs to make significant improvements as noted below.\n\nc. The Agency has not established a security configuration management program\n\n2a. If b. checked above, check areas that need significant improvement:\n\n2a(1) Configuration management policy is not fully developed. True\n\nWe found that the Department\xe2\x80\x99s configuration management policy meets NIST SP 800-53\nrequirements; however, we found two of nine agencies\xe2\x80\x99 policies reviewed by OIG or outside\nauditors did not meet the NIST requirements.\n\n2a(2) Configuration management procedures are not fully developed or consistently\nimplemented. True\n\nNIST SP 800-53 requires that the organization develop formal documented procedures to\nfacilitate the implementation of the configuration management policy and associated\nconfiguration management controls. OIG or outside auditors found that five of eight agencies\ndid not fully or consistently develop configuration management procedures. One of the five\nagencies was unable to provide any documented procedures. In addition, the annual self\nassessment identified 11 agencies that had configuration management weaknesses in 28 systems.\n\n2a(3) Software inventory is not complete (NIST SP 800-53: CM-8). True\n\nNIST SP 800-53 requires the organization to develop, document, and maintain an inventory of\ninformation system components which accurately reflects the current information system and is\navailable for review and audit by designated organizational officials. We found that one of five\nagencies reviewed did not have a complete software inventory.\n\n2a(4) Standard baseline configurations are not identified for all software components\n(NIST SP 800-53: CM-8). True\n\nNIST SP 800-53 requires the organization to develop, document, and maintain under\nconfiguration control, a current baseline configuration of the information system. The\nDepartment did not maintain a current baseline configuration guide for all operating systems in\nuse at USDA. For example, our reviews of four agencies found a total of 21 different operating\nsystems in use. However, 17 did not have the required configuration guides available.\n\nAudit Report 50501-02-IT                                                                   19\n\x0c2a(5) Hardware inventory is not complete (NIST SP 800-53: CM-8). True\n\nNIST requires that the organization develop, document, and maintain an inventory of\ninformation system components which accurately reflects the current state of the information\nsystem and is available for review and audit by designated organizational officials. We found\nthat one of the four agencies reviewed did not maintain a complete hardware inventory.\n\n2a(6) Standard baseline configurations are not identified for all hardware components\n(NIST SP 800-53: CM-2). True\n\nWe found that neither the Department nor the three agencies reviewed during the audit were able\nto provide standard baseline configurations for hardware components.\n\n2a(7) Standard baseline configurations are not fully implemented (NIST SP 800-53:\nCM-2). True\n\nOur review found that 763,417 of 1,647,432 (over 46 percent) Windows 2003 configuration\nsettings did not comply with current Federal guidelines.32\n\n2a(8) FDCC is not fully implemented (OMB) and/or all deviations are not fully\ndocumented. False\\\n\nNo exceptions noted. OMB required that agencies with Windows Vista or Windows XP\noperating systems, or plans to upgrade to these operating systems, adopt standard security\nconfigurations on workstations by February 1, 2008.33 The standard security configurations were\ndeveloped by NIST, the Department of Defense, and the Department of Homeland Security and\nare commonly referred to as the Federal Desktop Core Configuration (FDCC). Our reviews\nfound over 88 percent of all required settings on workstations were compliant. In addition, our\nreview at five agencies found all deviations from the FDCC had fully documented required\nwaivers. This is a vast improvement from FY 2009, when only 8 percent of the Department\ncomputers complied with FDCC settings or had deviations documented.\n\n2a(9) Software scanning capabilities are not fully implemented (NIST SP 800-53: RA-5,\nSI-2). True\n\nThe Department requires all agencies to establish and implement procedures for accomplishing\nvulnerability scanning of all networks, systems, servers, and desktops for which they have\nresponsibility.34 This includes performing monthly scans and remediating vulnerabilities found\nas a result of the scans. We found six of seven agencies did not scan all devices and did not\ncorrect critical vulnerabilities in a timely manner.\n\n\n32\n   Defense Information Systems Agency, Windows 2003 Security Technical Implementation Guide, dated\nAugust 27, 2010.\n33\n   OMB Memorandum 07-11, Implementation of Commonly Accepted Security Configurations for Windows\nOperating Systems, dated March 22, 2007.\n34\n   DM 3530-001, USDA Vulnerability Scan Procedures, dated July 20, 2005.\n\nAudit Report 50501-02-IT                                                                             20\n\x0c2a(10) Configuration-related vulnerabilities have not been remediated in a timely manner\n(NIST SP 800-53: CM-4, CM-6, RA-5, SI-2). True\n\nNIST requires Federal agencies to establish and document mandatory configuration settings for\ninformation technology products employed within the information system, and implement the\nrecommended configuration settings. Our review of four agencies disclosed that configuration\nvulnerabilities were not being mitigated and remediated timely. Specifically, we found that 42\nnetwork device settings were not configured in accordance with NIST SP 800-53.\n\n2a(11) Patch management process is not fully developed (NIST SP 800-53: CM-3, SI-2).\nTrue\n\nNIST requires Federal agencies to incorporate vendor software flaw remediation (patches) into\nthe organizational configuration management process. Our review at three agencies identified\n699 missing patches that were over 30 days old and that had not been applied to 27,813\nmachines. Furthermore, 194 of those patches had been available from the vendor since 2008.\n\n3. Identify baselines reviewed:\n\nApple Mac OS X\nCisco Catalyst\nCisco IOS\nMicrosoft Exchange Server 2003\nMicrosoft Windows Mobile 6\nMicrosoft Windows Server 2000\nMicrosoft Windows Server 2003\nMicrosoft Windows Vista Enterprise Edition\nMicrosoft Windows XP Professional\nOracle Database 10g\nRedhat Enterprise Linux 4\nResearch In Motion Blackberry\nSun Solaris 10\nOther\n\nS3: Incident Response and Reporting\nSection 3: Status of Incident Response & Reporting Program\n\n4. Check one:\n\na. The Agency has established and is maintaining an incident response and reporting\nprogram that is generally consistent with NIST\'s and OMB\'s FISMA requirements.\nAlthough improvement opportunities may have been identified by the OIG, the program\nincludes the following attributes:\n\n       1. Documented policies and procedures for responding and reporting to incidents.\n       2. Comprehensive analysis, validation and documentation of incidents.\n\n\nAudit Report 50501-02-IT                                                                 21\n\x0c        3. When applicable, reports to US-CERT within established timeframes.\n        4. When applicable, reports to law enforcement within established timeframes.\n        5. Responds to and resolves incidents in a timely manner to minimize further\n        damage.\n\nb. The Agency has established and is maintaining an incident response and reporting\nprogram. However, the Agency needs to make significant improvements as noted below.\n\nc. The Agency has not established an incident response and reporting program.\n\n4a. If b. checked above, check areas that need significant improvement:\n\n4a(1) Incident response and reporting policy is not fully developed. True\n\nWe compared the Departmental and selected agency incident handling policies with NIST\nrequirements in order to ensure all necessary elements were addressed.35 We found that\nDepartment policy generally met all of the NIST requirements, but all three agencies\xe2\x80\x99 policies\nwe reviewed were missing required elements. For example, we found that the three agencies did\nnot have a detailed list of the reasons incidents should be declared, classifications of different\ntypes of incidents, and roles and responsibilities of agency personnel.\n\n4a(2) Incident response and reporting procedures are not fully developed, sufficiently\ndetailed or consistently implemented. True\n\nOur review of incidents throughout the year found that all 28 of the incidents we reviewed were\nnot handled in accordance with Departmental procedures.36 Agencies are required to submit\ndocumentation to the Department, detailing the steps taken to close out the incident. Specific\ndocuments and completed forms are required to be returned to the Department; however, we\nfound that all 28 incidents had either incomplete incident documentation or did not include the\nrequired documentation outlined in the procedures. For example, one incident involving\npersonal information had marked \xe2\x80\x9cnot applicable\xe2\x80\x9d on the Departmental form which asked\nwhether it was in regard to personal information.\n\n4a(3) Incidents were not identified in a timely manner (NIST SP 800-53, 800-61, and OMB\nM-07-16, M-06-19). True\n\nOur review found that the Department did not identify 1 of 15 incidents in a timely manner.\nThat incident was reported timely to the Department, but Departmental employees took seven\ndays to create the incident report and respond back to the agency. This particular category of\n\n\n\n35\n   NIST 800-53, Recommended Security Controls for Federal Information Systems and Organizations, Rev 3,\nAugust 2009; and NIST SP-800-61, Computer Security Incident Handling Guide, March 2008.\n36\n   Agriculture Security Operations Center (ASOC) Computer Incident Response Team (CIRT), Standard Operating\nProcedures for Reporting Security and Personally Identifiable Information Incidents, SOP-ASOC-001, June 9,\n2009.\n\nAudit Report 50501-02-IT                                                                             22\n\x0cincident is required to be reported to The US-Computer Emergency Readiness Team (US-CERT)\nwithin one day.37\n\n4a(4) Incidents were not reported to US-CERT as required (NIST SP 800-53, 800-61, and\nOMB M-07-16, M-06-19). True\n\nUS-CERT requires USDA to notify it of incidents within specified timeframes, based on the\ncategory of the incident. Our review of incidents disclosed USDA did not report 11 of 28\nincidents to US-CERT within the required timeframe. For example, US-CERT requires that\nbreaches of personally identifiable information (PII) be reported within one hour; however, we\nfound that USDA did not report five incidents in this category within this timeframe. One PII\nincident was not reported for 38 days.\n\n4a(5) Incidents were not reported to law enforcement as required. True\n\nNIST SP 800-61 and Departmental procedures require evidence of contact with a local police\ndepartment if the incident is of a certain category. One of 15 incidents reviewed was for a stolen\ncomputer, but we found no evidence that USDA reported the incident to local law enforcement,\nas required.\n\n4a(6) Incidents were not resolved in a timely manner (NIST SP 800-53, 800-61, and OMB\nM-07-16, M-06-19). True\n\nBased on testing conducted for 4a(4) and 4a(7), we found that USDA did not resolve 2 of 15\nincidents timely.\n\n4a(7) Incidents were not resolved to minimize further damage (NIST SP 800-53, 800-61,\nand OMB M-07-16, M-06-19). True\n\nThe Department\xe2\x80\x99s SOP requires that IT employees immediately remove a computer containing\nprohibited software from the network and uninstall the software before the computer is returned\nto production. We found, however, that IT employees did not follow this SOP in 1 of the 15\nincidents reviewed during this audit. In this particular case, the prohibited software was still on\nthe computer the next day when it was again reported as an incident.\n\n4a(8) There is insufficient incident monitoring and detection coverage (NIST SP 800-53,\n800-61, and OMB M-07-16, M-06-19). True\n\nThe Department has relied on US-CERT to monitor and detect incidents; however, on\nSeptember 27, 2010, the Department implemented a suite of network monitoring and detection\n\n\n37\n  The US-CERT provides response support and defense against cyber attacks for the Federal Civil Executive\nBranch (.gov) and information sharing and collaboration with State and local government, industry, and\ninternational partners. US-CERT is the operational arm of the National Cyber Security Division (NCSD) at the\nDepartment of Homeland Security (DHS). The NCSD was established by DHS to serve as the Federal\nGovernment\xe2\x80\x99s cornerstone for cyber security coordination and preparedness.\n\nAudit Report 50501-02-IT                                                                                 23\n\x0cdevices which should greatly enhance the Department\xe2\x80\x99s ability to detect fraudulent or illegal\nactivity, prior to the Department being notified by US-CERT.\n\nAdditionally, for an organization to have a sufficient incident monitoring and detection program,\nNIST requires that Federal agencies train personnel in their incident response roles and\nresponsibilities and that the organization test its incident response capability with the use of\nautomated mechanisms. Our review of the Department\xe2\x80\x99s policies and procedures and our\ndiscussions with Departmental personnel indicated the Department does not have a training\nprogram in place nor does it perform training exercises with the aid of automated mechanisms.\n\nS4: Security Training\nSection 4: Status of Security Training Program\n\n5. Check one:\n\na. The Agency has established and is maintaining a security training program that is\ngenerally consistent with NIST\'s and OMB\'s FISMA requirements. Although improvement\nopportunities may have been identified by the OIG, the program includes the following\nattributes:\n\n           1. Documented policies and procedures for security awareness training.\n           2. Documented policies and procedures for specialized training for users with\n           significant information security responsibilities.\n           3. Appropriate training content based on the organization and roles.\n           4. Identification and tracking of all employees with login privileges that need\n           security awareness training.\n           5. Identification and tracking of employees without login privileges that require\n           security awareness training.\n           6. Identification and tracking of all employees with significant information security\n           responsibilities that require specialized training.\n\nb. The Agency has established and is maintaining a security training program. However,\nthe Agency needs to make significant improvements as noted below.\n\nc. The Agency has not established a security training program.\n\n5a. If b. checked above, check areas that need significant improvement:\n\n5a(1) Security awareness training policy is not fully developed. True\n\nWe determined the Department\xe2\x80\x99s security awareness policy met all requirements of\nNIST SP 800-53.38 However, one of three agencies reviewed did not have any policies to ensure\nthat all employees and contractors attended security awareness training.\n\n\n\n38\n     DM 3545-001 Computer Security Training and Awareness, dated February 17, 2005.\n\nAudit Report 50501-02-IT                                                                   24\n\x0c5a(2) Security awareness training procedures are not fully developed, sufficiently detailed\nor consistently implemented. True\n\nWe determined the Department\xe2\x80\x99s security awareness training procedures met all requirements of\nNIST SP 800-53. However, one of three agencies\xe2\x80\x99 procedures we reviewed during this audit did\nnot have all of the required elements to ensure employees and contractors received adequate role-\nbased security awareness training.\n\n5a(3) Specialized security training policy is not fully developed. True\n\nWe determined that the Department\'s policy for specialized security training was not fully\ndeveloped or sufficiently detailed.39 We found the Department\'s policy for specialized training\ndid not include a definition of significant information security responsibilities. Without a\ndefinition, agencies have interpreted the requirement inconsistently. In one agency, only security\nstaff employees were required to attend specialized training, not all personnel with significant\ninformation security responsibilities (such as server administrators). As of September 30, 2010,\nthe Department was working on a draft policy, including a formal definition.\n\n5a(4) Specialized security training procedures are not fully developed or sufficiently\ndetailed (NIST SP 800-50, NIST SP 800-53). True\n\nWe determined the Departmental procedures for specialized security training were not fully\ndeveloped or sufficiently detailed.40 In addition, audit work done by OIG and outside contractors\ndetermined that three of nine agency procedures did not include sufficient detail to ensure\npersonnel with significant security responsibilities obtained specialized training every year.\n\n5a(5) Training material for security awareness training does not contain appropriate\ncontent for the Agency (NIST SP 800-50, NIST SP 800-53). False\n\nNo exceptions noted.\n\n5a(6) Identification and tracking of employees with login privileges that require security\nawareness training is not adequate (NIST SP 800-50, NIST SP 800-53). True\n\nNIST SP 800-53 requires agencies to document and monitor individual information system\nsecurity training activities and to retain individual training records. Both OIG and outside\ncontractors found four of nine agencies did not have adequate identification and tracking of\nemployees with login privileges. Specifically, we found 344 of 8,060 employees with login\nprivileges did not have evidence that they had completed the annual security awareness training.\n\n\n\n\n39\n     DM 3545-002 USDA Information System Security Program, dated March 28, 2006.\n40\n     Departmental Standard Operating Procedure, Information Security Training, dated October 7, 2008.\n\nAudit Report 50501-02-IT                                                                                25\n\x0c5a(7) Identification and tracking of employees without login privileges that require\nsecurity awareness training is not adequate (NIST SP 800-50, NIST SP 800-53). True\n\nNIST SP 800-53 requires agencies to document and monitor individual information system\nsecurity training activities and to retain individual training records. Our review during this audit\nfound four of nine agencies did not adequately identify and track employees without login\nprivileges, which require security awareness training. We found 106 of 414 employees without\nlogin privileges did not have documented evidence that they had completed the annual security\nawareness training.\n\n5a(8) Identification and tracking of employees with significant information security\nresponsibilities is not adequate (NIST SP 800-50, NIST SP 800-53). True\n\nNIST SP 800-53 requires agencies to document and monitor individual information system\nsecurity training activities and to retain individual training records. Contractor testing on behalf\nof OIG identified one of seven agencies that did not have sufficient identification and tracking of\nemployees with significant information security responsibilities.\n\n5a(9) Training content for individuals with significant information security responsibilities\nis not adequate (NIST SP 800-53, NIST SP 800-16). True\n\nNIST SP 800-53 requires agencies to provide role-based training. Contractor testing on behalf of\nOIG identified one of seven agencies did not have sufficient training content for individuals with\nsignificant information security responsibilities.\n\n5a(10) Less than 90% of employees with login privileges attended security awareness\ntraining in the past year. False\n\nNo exceptions noted. Our testing identified 344 of 8,060 users (4 percent) with login privileges\nwho did not have evidence of completion of the annual security awareness training. Therefore,\n96 percent of users with login privileges attended security awareness training in the past year.\n\n5a(11) Less than 90% of employees, contractors, and other users with significant security\nresponsibilities attended specialized security awareness training in the past year. True\n\nNIST SP 800-53 requires agencies to document and monitor individual information system\nsecurity training activities and to retain individual training records. Our testing of 20 employees\nwith significant security responsibilities found 15 (75 percent) employees had documented\nevidence of specialized training attendance.\n\nS5: POA&M\n\nSection 5: Status of Plans of Actions & Milestones (POA&M) Program\n\n\n\n\nAudit Report 50501-02-IT                                                                      26\n\x0c6. Check one:\n\na. The Agency has established and is maintaining a POA&M program that is generally\nconsistent with NIST\'s and OMB\'s FISMA requirements and tracks and monitors known\ninformation security weaknesses. Although improvement opportunities may have been\nidentified by the OIG, the program includes the following attributes:\n\n         1. Documented policies and procedures for managing all known IT security\n         weaknesses.\n         2. Tracks, prioritizes and remediates weaknesses.\n         3. Ensures remediation plans are effective for correcting weaknesses.\n         4. Establishes and adheres to reasonable remediation dates.\n         5. Ensures adequate resources are provided for correcting weaknesses.\n         6. Program officials and contractors report progress on remediation to CIO on a\n         regular basis, at least quarterly, and the CIO centrally tracks, maintains, and\n         independently reviews/validates the POAM activities at least quarterly.\n\nb. The Agency has established and is maintaining a POA&M program that tracks and\nremediates known information security weaknesses. However, the Agency needs to make\nsignificant improvements as noted below.\n\nc. The Agency has not established a POA&M program.\n\n6a. If b. checked above, check areas that need significant improvement:\n\n6a(1) POA&M policy is not fully developed. True\n\nThe Department\xe2\x80\x99s security manual did not include a policy for establishing a POA&M process\nfor reporting IT security deficiencies and for tracking the status of remediation efforts.41 The\nDepartment stated that it is currently in the process of developing a draft policy, which has not\nyet been finalized. In addition, the three agencies reviewed did not have a POA&M policy.\n\n6a(2) POA&M procedures are not fully developed, sufficiently detailed, or consistently\nimplemented. True\n\nAlthough there were no formal policies, the Department had prepared a standard operating\nprocedure (SOP)42 concerning the POA&M Management Process. Our review of the SOP\ndetermined it was written prior to the implementation of CSAM and requires updating to reflect\nthe current POA&M process. We compared the Department\xe2\x80\x99s and agencies\xe2\x80\x99 procedures for the\n\n\n\n41\n   A POA&M is a tool that identifies tasks that need to be accomplished to assist agencies in identifying, assessing,\nprioritizing, and monitoring the progress of corrective efforts for security weaknesses found in programs and\nsystems. It details resources required to accomplish the elements of the plan, milestones for meeting the task, and\nscheduled completion dates for the milestones. The goal of a POA&M should be to reduce the risk of the weakness\nidentified.\n42\n   POA&M Management Process, Standard Operating Procedure, dated February 27, 2008.\n\nAudit Report 50501-02-IT                                                                                      27\n\x0cuse and management of POA&Ms to OMB requirements.43 We determined the Department and\nthe three agencies did not include all the required criteria elements OMB outlines. For example,\nthe Department lacked procedures on linking to budgetary resources,44 and the agencies lacked\nprocedures on preparing POA&Ms for all IT security weaknesses.\n\nIn addition to reviewing policies and procedures for compliance, we tested to ensure the\nPOA&M procedures were being properly implemented. Departmental procedures state all\nPOA&Ms should contain the relevant security controls from NIST SP 800-53.45 However, we\nfound that 210 of 2,226 POA&Ms with a status of open during FY 2010 did not include the\nrequired NIST relevant security control. Departmental procedures also require the use of a\nclosure checklist. The checklist must then be uploaded into CSAM as an artifact of the POA&M\nwith which it is associated. This information is then used by the Department to ensure that\nPOA&Ms were properly closed. Our review found that 107 of 1,830 POA&Ms that were closed\nin FY 2010 did not have the closure checklist uploaded.\n\nFinally, Departmental procedures require requests for POA&M due date changes to be sent to\nand approved by the Department.46 Once approved, only the CSAM administration team is\nauthorized to make changes to the due date; however, our review found that five agencies had\npersonnel with the access privileges necessary to make these changes.\n\n6a(3) POA&Ms do not include all known security weaknesses (OMB M-04-25). True\n\nWe found POA&Ms did not include all known security weaknesses. For example, the\nDepartment requires an agency to create a POA&M when an identified vulnerability cannot be\nremediated within 30 days.47 However, testing at three agencies found 424 vulnerabilities that\nwere over 30 days old without the required POA&M.\n\n6a(4) Remediation actions do not sufficiently address weaknesses (NIST SP 800-53, Rev. 3,\nSect. 3.4 Monitoring Security Controls). True\n\nOMB M-04-25 specifies that a milestone will identify specific requirements to correct an\nidentified weakness. We determined that four of nine agencies reviewed by OIG or outside\ncontractors did not have POA&Ms which contained a documented resolution that sufficiently\naddressed the documented weakness. For example, one of the agencies we reviewed had a\nclosed POA&M that was supposed to ensure that all devices were scanned monthly. A closed\n\n\n43\n   OMB M-04-25, Fiscal Year 2004 Reporting Instructions for the Federal Information Security Management Act,\nAugust 23, 2004.\n44\n   OMB Memorandum M-02-01, Guidance for Preparing and Submitting Security Plans of Action and Milestones,\ndated October 17, 2001, states that \xe2\x80\x9cto promote greater attention to security as a fundamental management priority,\nOMB continues to take steps to integrate security into the capital planning and budget process,\xe2\x80\x9d and requires each\nPOA&M to be linked to its budgetary and capital planning by including the unique project identifier on all\nPOA&Ms.\n45\n   Standard Operating Procedure, Plan of Action and Milestones Closure Review, dated February 17, 2009.\n46\n   The Departmental Memo, Continuous Monitoring of Plans of Actions and Milestones (POA&M), dated\nFebruary 3, 2010.\n47\n   DM3530-001, Appendix A, Vulnerability Scan Procedures, July 20, 2005.\n\nAudit Report 50501-02-IT                                                                                     28\n\x0cPOA&M should signify that the weakness was corrected, but our audit work during the year\nfound the agency was still not scanning all its devices monthly.\n\n6a(5) Initial date of security weaknesses are not tracked (OMB M-04-25). True\nOMB M-04-25 requires agencies to prepare and submit POA&Ms for all programs and systems\nwhere an IT security weakness has been found. We found the Department did not create\nPOA&Ms at the time weaknesses were identified. For example, two of five agencies reviewed\nby OIG and outside contractors during the year found that agencies were not tracking the initial\ndate of the security weakness. Also, the OIG FISMA report for FY 2009 provided numerous\nfindings and 14 recommendations. The POA&Ms for these recommendations were not created\nuntil July and August 2010. The Department stated it did not create POA&Ms until management\ndecision had been reached, rather than when the weakness was identified. OIG notes, however,\nthat USDA has not reached management decision for these recommendations as of the date of\nthis report\xe2\x80\x99s publication.48\n\n6a(6) Security weaknesses are not appropriately prioritized (OMB M-04-25). True\n\nOMB M-04-25 specifies that the purpose of a POA&M is to assist agencies in prioritizing the\nprogress of corrective efforts for security weaknesses found in programs and systems. Our\nreview of POA&Ms within the Department found 7 of 31 agencies were not appropriately\ncategorizing security weaknesses. For example, the Department considers 29 security controls to\nbe critical and requires the agencies to test, report the results of that testing, and create POA&Ms\non weaknesses found with these controls on an annual basis. We found nine POA&Ms\nassociated with these key controls were prioritized as low or very low, instead of a higher\npriority.\n\n6a(7) Estimated remediation dates are not reasonable (OMB M-04-25). True\n\nDepartment procedures required POA&Ms with a Scheduled Completion Date of \xe2\x80\x9cto be\ndetermined\xe2\x80\x9d (TBD) to be reviewed and estimated completion dates populated.49 Our review of\n3,411 of USDAs POA&Ms found that 630 of the Scheduled Completion Dates were marked\nTBD. Unless a POA&M has a completion date, the Department cannot ensure that the problem\nis mitigated timely.\n\n6a(8) Initial target remediation dates are frequently missed (OMB M-04-25). True\nOur review of POA&Ms closed during FY 2010 found 533 of 1,830 were not completed by the\ndue date. Of the 533 POA&Ms that were not completed by the due date, we were able to\ndetermine that:\n\n        \xc2\xb7   369 POA&Ms were completed within 89 days,\n        \xc2\xb7   73 POA&Ms were completed 90 to180 days late,\n        \xc2\xb7   91 POA&Ms were completed over 180 days late, and\n\n\n48\n   Management decision is reached on an OIG recommendation when both the agency and OIG agree on the\ncorrective actions to be taken.\n49\n   "Changes in the Due Dates of Plan of Actions and Milestones (POA&M)," dated March 10, 2009.\n\nAudit Report 50501-02-IT                                                                               29\n\x0c           \xc2\xb7    1 POA&M was completed 547 days late.\n\nAs of September 30, 2010, an additional 148 POA&Ms were overdue. We also found that three\nDepartmental POA&Ms with an end date of September 30, 2010 were changed to September 30,\n2011 without any documented reasons.\n\n6a(9) POA&Ms are not updated in a timely manner (NIST SP 800-53, Rev. 3, Control\nCA-5, and OMB M-04-25). True\n\nCSAM prohibits users from changing the Scheduled Completion Date field once it has been\nentered. Departmental procedures require special authorization to change the Scheduled\nCompletion Date. According to the Department, only members of the CSAM Administration\nteam within OCIO have the ability to change the Scheduled Completion Date. This change can\nonly be made once OCIO approves the request and forwards to the CSAM administration team a\nrequest to implement the date change. Departmental guidance requires that an actual date be\nentered in order to enforce adherence to the POA&M timeline. As noted in 6a(7), we found 630\nof the 3,411 POA&Ms had a Scheduled Completion Date of TBD, instead of an actual date that\ncould be tracked and monitored. In addition, 6 of 10 POA&Ms reviewed by OIG for this audit\nwere delayed without any documented reasons. One of those was cancelled without an\nexplanation.\n\n6a(10) Costs associated with remediating weaknesses are not identified (NIST SP 800-53,\nRev. 3, Control PM-3 & OMB M-04-25). True\n\nWe found that USDA has not met OMB\xe2\x80\x99s requirement50 to link budgetary resources to\nPOA&Ms. Of 1,830 POA&Ms closed in FY 2010, we found that 201 did not have the required\nbudgetary link field populated in CSAM. In addition, OMB M-04-25 requires each POA&M to\ninclude the associated amount of estimated funding to resolve the weakness. We found 728 of\n1,830 POA&Ms closed in FY 2010 listed $0 for the cost of correcting the weakness.\n.\n6a(11) Agency CIO does not track and review POA&Ms (NIST SP 800-53, Rev. 3, Control\nCA-5, and OMB M-04-25). True\n\nThe Department\xe2\x80\x99s SOP states all POA&Ms resulting from an audit are subject to the closure\nreview process. In addition, the SOP requires the Department to review 10 percent of the non-\naudit related closed POA&Ms. We found 30 closed audit POA&Ms that the Department did not\nreview. Also, we found that the Department only reviewed approximately 1.8 percent of closed\nPOA&Ms in FY 2010.\n\n\n\n\n50\n     OMB Memorandum M-02-01, Guidance for Preparing and Submitting Security Plans of Action and Milestones,\n     dated October 17, 2001, states that \xe2\x80\x9cto promote greater attention to security as a fundamental management\n     priority, OMB continues to take steps to integrate security into the capital planning and budget process,\xe2\x80\x9d and\n     requires each POA&M to be linked to its budgetary and capital planning by including the unique project identifier\n     on all POA&Ms.\n\nAudit Report 50501-02-IT                                                                                       30\n\x0cS6: Remote Access Management\nSection 6: Status of Remote Access Program\n\n7. Check one:\n\na. The Agency has established and is maintaining a remote access program that is generally\nconsistent with NIST\'s and OMB\'s FISMA requirements. Although improvement\nopportunities may have been identified by the OIG, the program includes the following\nattributes:\n\n           1. Documented policies and procedures for authorizing, monitoring, and controlling\n           all methods of remote access.\n           2. Protects against unauthorized connections or subversion of authorized\n           connections.\n           3. Users are uniquely identified and authenticated for all access.\n           4. If applicable, multi-factor authentication is required for remote access.\n           5. Authentication mechanisms meet NIST Special Publication 800-63 guidance on\n           remote electronic authentication, including strength mechanisms.\n           6. Requires encrypting sensitive files transmitted across public networks or stored\n           on mobile devices and removable media such as CDs and flash drives.\n           7. Remote access sessions are timed-out after a maximum of 30 minutes of inactivity\n           after which re-authentication is required.\n\nb. The Agency has established and is maintaining a remote access program. However, the\nAgency needs to make significant improvements as noted below.\n\nc. The Agency has not established a program for providing secure remote access.\n\n7a. If b. checked above, check areas that need significant improvement:\n\n7a(1) Remote access policy is not fully developed. True\n\nAlthough the Department has a remote access policy,51 we found it did not meet all NIST\nrequirements.52 We found that the Department\xe2\x80\x99s policy did not address key areas such as the\nadministration of remote access servers and periodic reassessment of the telework device\npolicies.\n\n7a(2) Remote access procedures are not fully developed, sufficiently detailed or\nconsistently implemented. True\n\nThe Department did not provide any procedures. The Department stated that it was responsible\nfor creating policy, but that it was the agencies\xe2\x80\x99 responsibility to create procedures to ensure the\npolicy is implemented.\n\n\n51\n     USDA Departmental Manual (DM) 3525-003, Telework and Remote Access Security, dated February 17, 2005.\n52\n     NIST SP 800-46, revision 1, Guide to Enterprise Telework and Remote Access Security, dated June 2009.\n\nAudit Report 50501-02-IT                                                                              31\n\x0c7a(3) Telecommuting policy is not fully developed (NIST SP 800-46, Section 5.1). True\n\nAs noted in 7a(1), we found the Departmental policy did not meet NIST guidance.\n\n7a(4) Telecommuting procedures are not fully developed or sufficiently detailed (NIST\n800-46, Section 5.4). True\n\nAs noted in 7a(2), the Department did not provide any procedures.\n\n7a(5) Agency cannot identify all users who require remote access (NIST SP 800-46, Section\n4.2, Section 5.1). True\n\nWe found that three of the eight agencies reviewed by OIG or outside contractors did not identify\nall users who required remote access. This occurred due to inadequate policies and procedures,\nwhich resulted in agencies only tracking their remote access devices, not the employees who\nwere using those devices.\n\n7a(6) Multi-factor authentication is not properly deployed (NIST SP 800-46, Section 2.2,\nSection 3.3). True\n\nDepartmental Regulation 3505-003 requires multi-factor authentication53 for all remote access.54\nHowever, we found six of seven agencies reviewed by OIG or outside contractors did not have\nmulti-factor authentication implemented. This occurred because the agencies were waiting on\nthe Departmental project to implement multi-factor authentication, which has a scheduled\ncompletion date of September 30, 2011.\n\n7a(7) Agency has not identified all remote devices (NIST SP 800-46, Section 2.1). True\n\nWe found that one of five agencies reviewed for this audit did not have an inventory of its\nremote access devices. This agency stated that everyone in the agency has remote access\ncapabilities if they have a laptop and an account, but the agency did not provide an inventory of\nits laptop devices. Additionally, the Departmental inventory of handheld devices with remote\naccess was reviewed as part of an audit performed earlier this year. The audit determined that\nthe agencies did not maintain a comprehensive inventory of wireless handheld devices.\n\n7a(8) Agency has not determined all remote devices and/or end user computers have been\nproperly secured (NIST SP 800-46, Section 3.1 and 4.2). True\n\nAs noted in 7a(6), USDA did not implement multi-factor authentication Departmentwide. We\nalso found that agencies were not encrypting removable media in five of seven agencies\n\n\n53\n   Multi-factor authentication is a security process in which the user provides two means of identification, one of\nwhich is typically a physical token, such as a card, and the other of which is typically something memorized, such as\na security code. In this context, the two factors involved are sometimes spoken of as something you have and\nsomething you know.\n54\n   DR 3505-003, Access Control Policy, dated August 11, 2009.\n\nAudit Report 50501-02-IT                                                                                     32\n\x0creviewed. This occurred because agencies were waiting for the completion of Departmental\nprojects in order to implement these security measures. In another audit, conducted during\nFY 2010, our review of 277 wireless handheld devices found that none of those devices were\nadequately secured. Finally, OMB requires remote access to be timed out after 30 minutes of\ninactivity.55 We found two of three agencies reviewed during this audit did not disconnect users\nafter 30 minutes of inactivity.\n\n7a(9) Agency does not adequately monitor remote devices when connected to the agency\'s\nnetworks remotely (NIST SP 800-46, Section 3.2). True\n\nWe found that three of four agencies reviewed were not adequately monitoring remote devices\nwhen connected to the agency\'s networks remotely, as required by NIST SP 800-46. This\noccurred because agencies relied on general network access logging to capture events.\nInadequate security controls over remote access logging could lead to unauthorized access, use,\ndisclosure, modification, or destruction of information.\n\n7a(10) Lost or stolen devices are not disabled and appropriately reported (NIST SP 800-\n46, Section 4.3, US-CERT Incident Reporting Guidelines). True\n\nDuring an OIG audit performed this year, we found that agencies had deployed devices which\ncould not be remotely disabled when lost or stolen. This occurred because the Department had\nnot established policies and procedures over wireless handheld devices.\n\n7a(11) Remote access rules of behavior are not adequate (NIST SP 800-53, PL-4). True\n\nWe found that all four agencies reviewed by OIG or outside auditors did not have adequate rules\nof behavior for remote access. This occurred because all agencies relied on the general rules of\nbehavior, which did not specifically refer to remote access. As a result, inadequate security\nconcerning remote access could lead to unauthorized access, use, disclosure, disruption,\nmodification, or destruction of information.\n\n7a(12) Remote access user agreements are not adequate (NIST SP 800-46, Section 5.1,\nNIST SP 800-53, PS-6). True\n\nWe found four agencies reviewed by OIG or outside contractors did not have adequate remote\naccess user agreements. The agencies did not have user agreements for remote access and relied\non the general rules of behavior, which did not specifically refer to remote access. As a result,\ninadequate security of remote access could lead to unauthorized access, use, disclosure,\ndisruption, modification, or destruction of information.\n\nS7: Identity and Access Management\nSection 7: Status of Account and Identity Management Program\n\n\n\n55\n  OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable\nInformation, dated May 22, 2007.\n\nAudit Report 50501-02-IT                                                                           33\n\x0c8. Check one:\n\na. The Agency has established and is maintaining an account and identity management\nprogram that is generally consistent with NIST\'s and OMB\'s FISMA requirements and\nidentifies users and network devices. Although improvement opportunities may have been\nidentified by the OIG, the program includes the following attributes:\n\n       1. Documented policies and procedures for account and identity management.\n       2. Identifies all users, including federal employees, contractors, and others who\n       access Agency systems.\n       3. Identifies when special access requirements (e.g., multi-factor authentication) are\n       necessary.\n       4. If multi-factor authentication is in use, it is linked to the Agency\'s PIV program.\n       5. Ensures that the users are granted access based on needs and separation of duties\n       principles.\n       6. Identifies devices that are attached to the network and distinguishes these devices\n       from users.\n       7. Ensures that accounts are terminated or deactivated once access is no longer\n       required.\n\nb. The Agency has established and is maintaining an account and identity management\nprogram that identifies users and network devices. However, the Agency needs to make\nsignificant improvements as noted below\n\nc. The Agency has not established an account and identity management program.\n\n8a. If b. checked above, check areas that need significant improvement:\n\n8a(1) Account management policy is not fully developed. True\n\nAlthough the Department developed an account and identity management policy, it was not fully\ndeveloped, sufficiently detailed, or consistently implemented. The Department policy did not\ncontain all controls required in NIST SP 800-53. For example, the Department was unable to\nprovide a policy for the identification and authentication of devices on the network, as required\nby NIST SP 800-53. In addition, two of the three agencies reviewed during this audit did not\nhave a formal policy for account management.\n\n8a(2) Account management procedures are not fully developed, sufficiently detailed or\nconsistently implemented. True\n\nWe found that the Department had developed an account and identity management program, but\nit had not developed procedures as required by NIST SP 800-53. This occurred because the\nDepartment stated it was only responsible for creating policy and that the development and\nimplementation of the procedures was the agencies\xe2\x80\x99 responsibility. Our review of the three\nselected agencies found that the agencies did not have formal procedures meeting all NIST\nrequirements.\n\n\nAudit Report 50501-02-IT                                                                   34\n\x0c8a(3) Active Directory is not properly implemented (NIST SP 800-53, AC-2). True\n\nWe found four of the six agencies reviewed by OIG or outside contractors had not properly\nimplemented Active Directories, as required by NIST SP 800-53.56 For example, our review of\none agency found that an excessive number of accounts had administrator level access. NIST\nstates users requiring administrative privileges on information system accounts receive additional\nscrutiny and administrator accounts should employ the concept of least privilege. Microsoft best\npractices describe an Enterprise Administrator as being \xe2\x80\x9c[r]esponsible for top-level service\nadministration across the enterprise,\xe2\x80\x9d57 yet we found 46 of these accounts in one agency\xe2\x80\x99s Active\nDirectory. Also, Microsoft best practices describe a Domain Administrator as being\n\xe2\x80\x9c[r]esponsible for top-level service administration across the domain\xe2\x80\x9d and \xe2\x80\x9cshould contain only a\nsmall, manageable number of trusted administrators,\xe2\x80\x9d yet we found 870 of these accounts in the\nagency\xe2\x80\x99s Active Directory. In addition, we found there were no Departmental or agency policy\nand procedures for implementing the Active Directory. Our review identified an excessive\nnumber of elevated privileged user accounts, which could result in unauthorized access, use,\ndisclosure, disruption, modification, or destruction of information.\n\n8a(4) Other Non-Microsoft account management software is not properly implemented\n(NIST SP 800-53, AC-2). N/R\n\nNot reviewed.\n\n8a(5) Agency cannot identify all User and Non-User Accounts (NIST SP 800-53, AC-2).\nTrue\n\nWe found that 12 of 13 agencies reviewed by OIG, outside contractors, or during annual self-\nassessments could not identify all user and non-user accounts as required by NIST SP 800-53.\nNIST specifies that organizations should identify authorized users, deactivate temporary\naccounts when no longer needed, and deactivate the accounts of terminated or transferred users.\nWe found the Department and its agencies were not meeting this control. For example, in one\nreview performed this year, we identified 148 active accounts for employees who had separated\nfrom the agency. In addition, during the annual self-assessments performed, eight agencies\nidentified weaknesses in deactivating separated employee accounts. Agencies were not\nreviewing user accounts within Active Directory and were not following user account policy and\nprocedures, such as deactivating or removing separated employees. As a result, user accounts\nremained active after an employee left service and could lead to unauthorized access, use,\ndisclosure, disruption, modification, or destruction of information.\n\n8a(6) Accounts are not properly issued to new users (NIST SP 800-53, AC-2). True\n\nWe found that 8 of the 12 agencies reviewed by OIG or outside contractors were not properly\nissuing accounts to new users, as required by NIST SP 800-53. NIST specifies that\n\n56\n   Active Directory is a software component of Microsoft products that facilitates authenticating users and\ncontrolling access to network resources.\n57\n   Microsoft provides best practice guides to assist organizations in enhancing the security of their Active Directory\nsystems.\n\nAudit Report 50501-02-IT                                                                                       35\n\x0corganizations should establish conditions for group membership, identify authorized users,\nspecify access privileges, require appropriate approval for establishing accounts, and grant\naccess, based on need. In addition, during the annual self-assessments performed, four agencies\nidentified weaknesses for properly issuing new user accounts. Agencies were not properly\ndocumenting and approving new user requests, in accordance with their own policies and\nprocedures.\n\n8a(7) Accounts are not properly terminated when users no longer require access (NIST SP\n800-53, AC-2). True\n\nDepartmental regulations require that, when an individual is terminated, the account should be\ndeleted or disabled within 48 hours of that person\xe2\x80\x99s departure.58 As noted in 8a(5), we found that\n12 of the 13 agencies reviewed by OIG, outside contractors, or during annual self-assessments,\ndid not properly terminate users when their access was no longer required. For example, in one\nreview performed this year, we found 148 active accounts for employees who had separated\nfrom the agency. Agencies were not reviewing user accounts within the Active Directory and\nwere not following user account policy and procedures, such as deactivating or removing\nseparated employees. As a result of these reviews, we found user accounts that remained active\nafter an employee left service and that could result in unauthorized access, use, disclosure,\ndisruption, modification, or destruction of information.\n\n8a(8) Agency does not use multi-factor authentication where required (NIST SP 800-53,\nIA-2). True\n\nAs noted in 7a(6), we found six of seven agencies reviewed by OIG or outside contractors that\ndid not require multi-factor authentication.\n\n8a(9) Agency has not adequately planned for implementation of PIV for logical access\n(HSPD 12, FIPS 201, OMB M-05-24, OMB M-07-06, OMB M-08-01). True\n\nWe found that two of three agencies reviewed had not issued all individuals the Homeland\nSecurity Presidential Directive (HSPD)-12 credentials.59 Currently, none of the three agencies\nare requiring HSPD-12 for multi-factor authentication to systems; although one agency reported\nthat all of its employees have been issued the credentials. Each of the three agencies we\nreviewed reported they are waiting for the Department project to implement the multi-factor\nauthentication. Although the original implementation date was scheduled for September 30,\n2009, this project is now scheduled to be completed on September 30, 2011.\n\n58\n   USDA Departmental Regulation, DR 3505-003, Access Control Policy, dated August 11, 2009.\n59\n   FIPS Publication 201-1 Personal Identity Verification (PIV) of Federal Employees and Contractors states that\nHomeland Security Presidential Directive 12 (HSPD-12), entitled Policy for a Common Identification Standard for\nFederal Employees and Contractors, provides for a Federal standard for secure and reliable forms of identification\nfor Federal employees and contractors. Implementation of the HSPD-12 specifies that the credential is an integrated\ncircuit card. The card must store personalized identity information for the person to whom the card was issued. The\ncards will be used for electronic verification for logical access to information resources. For example, a cardholder\nmay log in to their agency network using the PIV card; the identity established through this authentication process\ncan be used for determining access to file systems, databases, and other services available on the network.\n\n\nAudit Report 50501-02-IT                                                                                     36\n\x0c8a(10) Privileges granted are excessive or result in capability to perform conflicting\nfunctions (NIST SP 800-53, AC-2, AC-6). True\n\nWe found that 11 of the 13 agencies reviewed this fiscal year by OIG, outside contractors, or\nduring annual self-assessments had granted users excessive privileges, or otherwise allowed\nthem the capacity to perform conflicting functions. These agencies did not ensure that users\nwere granted their access based on their work needs, and did not follow separation of duty\nprinciples, as required by NIST SP 800-53.\n\nNIST states organizations should identify authorized users of information systems and specify\naccess privileges, require appropriate approval, grant access based on need, periodically review\naccounts, provide additional scrutiny of administrative accounts, follow separation of duty\nprinciples, and utilize the concept of least privilege. We found, however, that nine agencies\nreported weaknesses in granting excessive privileges; six reported weaknesses in separation of\nduty principles; and six reported a lack of a periodic review of user accounts during their annual\nself-assessments.\n\n8a(11) Agency does not use dual accounts for administrators (NIST SP 800-53, AC-5,\nAC-6). True\n\nWe found that six of nine agencies reviewed this fiscal year were not using dual accounts for\nadministrators, as required by NIST SP 800-53. NIST states that a privileged user should have a\nsecond non-privileged account to support the principle of least privilege. This is commonly\nreferred to as dual accounts for administrators. For example, in our review of one agency\xe2\x80\x99s\nActive Directory, we found 15 administrators who did not have dual accounts. In addition, the\nannual agency self assessments found that two other agencies had administrators without a\nsecond non-privileged user account. Our review of Departmental Regulation 3505-003 found\nthe policy did not address dual accounts.\n\n8a(12) Network devices are not properly authenticated (NIST SP 800-53, IA-3). True\n\nWe found that none of the six agencies reviewed by OIG or outside contractors were able to\nidentify and properly authenticate all devices attached to its networks, as required by\nNIST SP 800-53. NIST states that a system should uniquely identify and authenticate devices\nbefore establishing connections. The Department was not able to provide policy or procedures to\nsupport the identity and authentication of network devices. Also, the three agencies reviewed for\nthis audit did not provide policy or procedures. The agencies stated they could only discover a\nrogue device if it was connected to its network during the monthly discovery scans.60\n\nS8: Continuous Monitoring Management\nSection 8: Status of Continuous Monitoring Program\n\n\n\n\n60\n     A rogue device is one attached to the network without the agency\xe2\x80\x99s permission.\n\nAudit Report 50501-02-IT                                                                     37\n\x0c9. Check one:\n\na. The Agency has established an entity-wide continuous monitoring program that assesses\nthe security state of information systems that is generally consistent with NIST\'s and\nOMB\'s FISMA requirements. Although improvement opportunities may have been\nidentified by the OIG, the program includes the following attributes:\n\n       1. Documented policies and procedures for continuous monitoring.\n       2. Documented strategy and plans for continuous monitoring, such as vulnerability\n       scanning, log monitoring, notification of unauthorized devices, sensitive new\n       accounts, etc.\n       3. Ongoing assessments of selected security controls (system-specific, hybrid, and\n       common) that have been performed based on the approved continuous monitoring\n       plans.\n       4. Provides system authorizing officials and other key system officials with security\n       status reports covering updates to security plans and security assessment reports, as\n       well as POA&M additions.\n\nb. The Agency has established an entity-wide continuous monitoring program that assesses\nthe security state of information systems. However, the Agency needs to make significant\nimprovements as noted below.\n\nc. The Agency has not established a continuous monitoring program. (Details of the\nfindings are included in 9a below)\n\n9a. If b. checked above, check areas that need significant improvement:\n\n9a(1) Continuous monitoring policy is not fully developed. True\n\nThe Department did not have a continuous monitoring policy and the program is not scheduled\nfor full implementation until the end of FY 2011. In addition, we found that all three agencies\nreviewed during this audit did not have a fully developed continuous monitoring policy that met\nNIST SP 800-53 requirements.\n\n9a(2) Continuous monitoring procedures are not fully developed or consistently\nimplemented. True\n\nThe Department and the three agencies reviewed during this audit were not able to provide\nprocedures governing continuous monitoring. NIST SP 800-53 requires that organizations\nestablish a continuous monitoring strategy and implement a continuous monitoring program.\nThis includes a configuration management process for the information system and its constituent\ncomponents, as well as a determination of the security impact of changes to the information\nsystem and environment of operation.\n\n\n\n\nAudit Report 50501-02-IT                                                                  38\n\x0c9a(3) Strategy or plan has not been fully developed for entity-wide continuous monitoring\n(NIST SP 800-37). True\n\nNIST states that an organization should formulate a strategy or plan which is fully developed for\nentity-wide continuous monitoring.61 The plan should consist of a comprehensive governance\nstructure and organization-wide risk management strategy, which includes the techniques and\nmethodologies the organization plans to employ to assess information system security risks. The\nstrategy and plans the Department provided for developing an entity-wide continuous monitoring\nplan were in draft and are estimated to be completed September 2011.\n\n9a(4) Ongoing assessments of selected security controls (system-specific, hybrid, and\ncommon) have not been performed (NIST SP 800-53, NIST SP 800-53A). True\n\nNIST SP 800-53 states that Federal agencies will assess the security controls in an information\nsystem as part of the testing/evaluation process. We identified 23 of 282 systems for which the\nDepartment had not performed ongoing assessments of selected security controls in FY 2010\n.\n9a(5) The following were not provided to the system authorizing official or other key\nsystem officials: security status reports covering continuous monitoring results, updates to\nsecurity plans, security assessment reports, and POA&Ms (NIST SP 800-53,\nNIST SP 800-53A). True\n\nWe identified one of seven agencies that did not provide the system authorizing official or other\nkey system officials: security status reports covering continuous monitoring results, updates to\nsecurity plans, security assessments reports, and POA&Ms.\n\nS9: Contingency Planning\nSection 9: Status of Contingency Planning Program\n\n10. Check one:\n\na. The Agency established and is maintaining an entity-wide business continuity/disaster\nrecovery program that is generally consistent with NIST\'s and OMB\'s FISMA\nrequirements. Although improvement opportunities may have been identified by the OIG,\nthe program includes the following attributes:\n\n        1. Documented business continuity and disaster recovery policy providing the\n        authority and guidance necessary to reduce the impact of a disruptive event or\n        disaster.\n        2. The agency has performed an overall Business Impact Assessment.\n        3. Development and documentation of division, component, and IT infrastructure\n        recovery strategies, plans and procedures.\n        4. Testing of system specific contingency plans.\n\n\n61\n NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems, dated\nMay 2004.\n\nAudit Report 50501-02-IT                                                                                 39\n\x0c           5. The documented business continuity and disaster recovery plans are ready for\n           implementation.\n           6. Development of training, testing, and exercises (TT&E) approaches.\n           7. Performance of regular ongoing testing or exercising of continuity/disaster\n           recovery plans to determine effectiveness and to maintain current plans.\n\nb. The Agency has established and is maintaining an entity-wide business\ncontinuity/disaster recovery program. However, the Agency needs to make significant\nimprovements as noted below.\n\nc. The Agency has not established a business continuity/disaster recovery program.\n\n10a. If b. checked above, check areas that need significant improvement:\n\n10a(1) Contingency planning policy is not fully developed. True\n\nWe found that the Department\xe2\x80\x99s contingency planning policy meets NIST SP 800-53\nrequirements. However, we found that 1 of 22 agencies\xe2\x80\x99 policies reviewed did not meet NIST\nrequirements.\n\n10a(2) Contingency planning procedures are not fully developed or consistently\nimplemented. True\n\nWe found that 2 of 23 agency systems we reviewed did not have fully developed and\nconsistently implemented procedures for contingency planning. For example, during one audit\nconducted this year, we found that 9 of 18 field sites did not have or were unable to provide\nbackup procedures.\n\n10a(3) An overall business impact assessment has not been performed (NIST SP 800-34).\nTrue\n\nThe USDAs Office of Homeland Security did not provide OIG a business impact assessment.\n\n10a(4) Development of organization, component, or infrastructure recovery strategies and\nplans has not been accomplished (NIST SP 800-34). True\n\nNIST states that recovery strategies provide a means to restore IT operations quickly and\neffectively following a service disruption.62 We identified 20 of 27963 systems for which the\nDepartment had not developed organization, component, or infrastructure recovery strategies\n.\n10a(5) A business continuity/disaster recovery plan has not been developed (FCD1,\nNIST SP 800-34). False\n\n\n\n62\n     NIST SP 800-34, Contingency Planning Guide for Information Technology Systems, dated June 2002.\n63\n     Based on a CSAM run date of October 22, 2010.\n\nAudit Report 50501-02-IT                                                                               40\n\x0cNo exceptions noted.\n\n10a(6) A business continuity/disaster recovery plan has been developed, but not fully\nimplemented (FCD1, NIST SP 800-34). True\n\nWe found that all 30 systems we reviewed had developed business continuity/disaster recovery\nplans; however, one plan had not been fully implemented.\n\n10a(7) System contingency plans missing or incomplete (FCD1, NIST SP 800-34, NIST SP\n800-53). True\n\nNIST SP 800-53 requires Federal agencies to develop a formal, documented contingency plan\nthat addresses purpose, scope, roles, responsibilities, management commitment, and coordination\namong organizational entities in planning controls. We identified 17 of 279 systems for which\nthe contingency plan field in CSAM was marked as \xe2\x80\x9cnot applicable\xe2\x80\x9d or \xe2\x80\x9din progress\xe2\x80\x9d and was\ntherefore not complete\n.\n10a(8) Critical systems contingency plans are not tested (FCD1, NIST SP 800-34, NIST SP\n800-53). True\n\nNIST SP 800-53 requires Federal agencies to test and exercise the contingency plan for\ninformation systems, using organization-defined tests or exercises to determine the plan\xe2\x80\x99s\neffectiveness and the organization\xe2\x80\x99s readiness to execute the plan and initiate corrective actions.\nWe identified 48 of 279 critical systems for which USDA had not tested its contingency plans.\n\n10a(9) Training, testing, and exercises approaches have not been developed (FCD1, NIST\nSP 800-34,NIST SP 800-53). True\n\nNIST SP 800-53 requires Federal agencies to test and exercise the contingency plan for the\ninformation system, using organization-defined tests or exercises to determine the plan\xe2\x80\x99s\neffectiveness and the organization\xe2\x80\x99s readiness to execute the plan and initiate corrective actions.\nWe found 6 of 25 systems reviewed by OIG or outside contractors for which USDA had not\nfully developed training, testing, and exercise approaches.\n\n10a(10) Training, testing, and exercises approaches have been developed, but are not fully\nimplemented (FCD1, NIST SP 800-34, NIST SP 800-53). True\n\nNIST SP 800-53 requires Federal agencies to test and exercise the contingency plan for the\ninformation system, using organization-defined tests or exercises to determine the plan\xe2\x80\x99s\neffectiveness and the organization\xe2\x80\x99s readiness to execute the plan and initiate corrective actions.\nOur review found that USDA had not fully implemented training, testing, and exercise\napproaches for 8 of 30 systems. For example, one system was last tested in 2008 and another\nhad TBD in the Contingency Test Date Completed field\n\n\n\n\nAudit Report 50501-02-IT                                                                      41\n\x0c10a(11) Disaster recovery exercises were not successful revealed significant weaknesses in\nthe contingency planning. (NIST SP 800-34). True\n\nNIST SP 800-34 states that recovery strategies should provide a means to restore IT operations\nquickly and effectively following a service disruption. The strategies should address disruption\nimpacts and allowable outage times identified in the BIA. Several alternatives should be\nconsidered when developing the strategy, including cost, allowable outage time, security, and\nintegration with larger organization-level contingency plans. Our review found that USDA did\nnot have disaster recovery exercises which were successful at revealing significant weaknesses in\nthe contingency plan for 3 of 30 systems.\n\n10a(12) After-action plans did not address issues identified during disaster recovery\nexercises (FCD1, NIST SP 800-34). True\n\nNIST SP 800-34 states that all recovery and reconstitution events should be well documented,\nincluding actions taken and problems encountered during the recovery and reconstitution efforts.\nAn after-action report with lessons learned should be documented and updated. Our review\nfound that USDA did not have after-action plans that addressed issues identified during the\ndisaster recovery exercises for 4 of 30 systems.\n\n10a(13): Critical systems do not have alternate processing sites (FCD1, NIST SP 800-34,\nNIST SP 800-53). False\n\nNo exceptions noted.\n\n10a(14) Alternate processing sites are subject to same risks as primary sites (FCD1, NIST\nSP 800-34, NIST SP 800-53). True\n\nNIST SP 800-34 states that when selecting an offsite storage facility for backups, the Federal\nagency should select the offsite storage site in a different geographic area far enough from the\norganization\xe2\x80\x99s primary site so that the storage site will not be affected by the same disaster as the\norganization\xe2\x80\x99s primary site. During one audit conducted during FY 2010, OIG found that 16 of\n18 alternate processing sites were subject to the same risks as the primary sites.\n\n10a(15) Backups of information are not performed in a timely manner (FCD1, NIST SP\n800-34, NIST SP 800-53). False\n\nNo exceptions noted.\n\n10a(16) Backups are not appropriately tested (FCD1, NIST SP 800-34, NIST SP 800-53).\nTrue\n\nNIST SP 800-53 states that the organization should test backup information to verify media\nreliability and information integrity. During an audit conducted during the year, we found that\n17 of 18 field sites had not performed regular recovery tests. In addition, for this agency, we\nfound that only two documented backup/recovery tests were completed for over 2,400 field sites.\n\n\nAudit Report 50501-02-IT                                                                       42\n\x0c10a(17) Backups are not properly secured and protected (FCD1, NIST SP 800-34, NIST SP\n800-53). False\n\nNo exceptions noted.\n\nS10: Contractor Systems\nSection 10: Status of Agency Program to Oversee Contractor Systems\n\n11. Check one:\n\na. The Agency has established and maintains a program to oversee systems operated on its\nbehalf by contractors or other entities. Although improvement opportunities may have\nbeen identified by the OIG, the program includes the following attributes:\n\n       1. Documented policies and procedures for information security oversight of\n       systems operated on the Agency\'s behalf by contractors or other entities the Agency\n       obtains sufficient assurance that security controls of systems operated by\n       contractors or others on its behalf are effectively implemented and comply with\n       federal and agency guidelines.\n       2. A complete inventory of systems operated on the Agency\'s behalf by contractors\n       or other entities.\n       3. The inventory identifies interfaces between these systems and Agency-operated\n       systems.\n       4. The agency requires agreements (MOUs, Interconnect Service Agreements,\n       contracts, etc.) for interfaces between these systems and those that is owns and\n       operates.\n       5. The inventory, including interfaces, is updated at least annually.\n       6. Systems that are owned or operated by contractors or entities are subject to and\n       generally meet NIST and OMB\'s FISMA requirements.\n\nb. The Agency has established and maintains a program to oversee systems operated on its\nbehalf by contractors or other entities. However, the Agency needs to make significant\nimprovements as noted below.\n\nc. The Agency does not have a program to oversee systems operated on its behalf by\ncontractors or other entities. (Details of the findings are included in 11a below)\n\n11a. If b. checked above, check areas that need significant improvement:\n\n11a(1) Policies to oversee systems operated on the Agency\'s behalf by contractors or other\nentities are not fully developed. True\n\nWe found the Department did not have policies to oversee systems operated on the agency\xe2\x80\x99s\nbehalf by contractors or other entities. The Department is in the process of drafting a memo on\noverseeing contractors\xe2\x80\x99 systems.\n\n\n\nAudit Report 50501-02-IT                                                                   43\n\x0c11a(2) Procedures to oversee systems operated on the Agency\'s behalf by contractors or\nother entities are not fully developed or consistently implemented. True\n\nWe found the Department did not have procedures to oversee systems operated on the agency\xe2\x80\x99s\nbehalf by contractors or other entities. The Department stated that the agencies are responsible\nfor developing their own procedures.\n\n11a(3) The inventory of systems owned or operated by contractors or other entities is not\nsufficiently complete. True\n\nWe found that the Department did not have a complete inventory of its contractor systems.\nDuring the FY 2009 FISMA audit, we identified 12 systems which should have been designated\nas contractor systems. In FY 2010, we found that only one system designation had been changed\nto a contractor system. In response to the FY 2009 FISMA audit, the Department stated that it\nwould review the systems and change the designation to contractor systems if appropriate. We\nfound that the Department had not accomplished this review. During this audit, the Department\ndid respond that at least 6 of those systems should have been identified as contractor systems.\n\n11a(4) The inventory does not identify interfaces between contractor/entity-operated\nsystems to Agency-owned and -operated systems. True\n\nFISMA requires agencies to maintain an inventory of information systems, which includes an\nidentification of the interfaces between each system, and all other systems or networks, including\nthose not operated by, or under the control of, the agency.64\n\nWe found that the Department was not maintaining an accurate inventory of interfaces in CSAM.\nWe reviewed 31 SSPs and then compared the list of interfaces to those documented in CSAM.\nWe found that the Department was not accurately reporting interface/interconnections with other\nsystems for 22 of 31 systems. Agencies were responsible for accurately documenting interface\ndata in CSAM, but they failed to account for all interconnections. Since interfaces allow the\nexchange of data between two systems, it is important that security controls in each\ninterconnected system accurately reflect the risk of inadvertent disclosure of information.\nWithout proper documentation and testing of those interfaces, the confidentiality, integrity, and\navailability of the exchanged data could have been compromised without discovery.\n\n11a(5) The inventory of contractor/entity-operated systems, including interfaces, is not\nupdated at least annually. True\n\nNIST specifies that organizations should review the security controls for the interconnection at\nleast annually or whenever a significant change occurs to ensure they are operating properly and\nare providing appropriate levels of protection.65 As noted in 11a(3), the Department did not\nupdate its inventory of contractor systems in FY 2010. In addition, as noted in 11a(4), we found\nthat the Department had not identified all interfaces.\n\n\n64\n     FISMA of 2002, Title III, Information Security, dated December 17, 2002.\n65\n     NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems, dated August 2002.\n\nAudit Report 50501-02-IT                                                                                     44\n\x0c11a(6) Systems owned or operated by contractors and entities are not subject to NIST and\nOMB\'s FISMA requirements (e.g., certification and accreditation requirements). True\n\nDepartmental procedures require that deactivated systems which have reached the final phase in\nthe System Development Life Cycle (SDLC) should be retired. Agencies must contact OCIO in\nwriting, specifically stating that the retired/deactivated system is no longer processing any\ntransactions or information, and has been completely removed from the network.66 All\ninformation, including the deactivation date, must be completed for the system inventory update.\nDuring our review, we found that the documented reason for one system\xe2\x80\x99s retirement was\n\xe2\x80\x9cservices to the end user and partner agencies will continue unabated as the contracted service\nwill continue to operate without change. This retirement is strictly an administrative change in\nstatus in the CSAM and EAR repositories.\xe2\x80\x9d According to this statement, the change is to remove\nthe system from CSAM and FISMA reporting.\n\n11a(7) Systems owned or operated by contractors and entities do not meet NIST and\nOMB\'s FISMA requirements (e.g., certifications and accreditation requirements). True\n\nAs noted in 11a(6), we did note one system that appears to be a contractor system that is still\noperating but that was removed from CSAM.\n\n11a(8) Interface agreements (e.g., MOUs) are not properly documented, authorized, or\nmaintained. True\n\nWe found that the Department did not maintain an inventory of interface agreements.\nNIST SP 800-47 states that a Memorandum of Understanding (MOU) defines the responsibilities\nof the participating organizations and that the joint planning team should identify and examine\nall relevant technical, security, and administrative issues surrounding the proposed\ninterconnection. This information may be used to develop an Interconnection Security\nAgreement (ISA) and a Memorandum of Understanding or Agreement (MOU/A) (or an\nequivalent document). Twenty-two of the 31 systems reviewed during this audit did not have the\nrequired MOU/ISA.\n\n\n\n\n66\n  SOP-ISD-007, Information Technology Inventory Reconciliation and Certification-Standard Operating\nProcedure, April 28, 2009.\n\nAudit Report 50501-02-IT                                                                              45\n\x0c'